├── Get-AppLockerConfig.ps1 ├── Invoke-Mimidogz ├── Invoke-Mimidogz.ps1 └── README.md ├── README.md ├── degregulator ├── README.md └── deregulator.py ├── fuzzing ├── README.md ├── afl-build.sh ├── afl-multi.sh └── boofuzz-ftp.py ├── htmlmailer ├── README.md └── htmlmailer.py └── type7decrypt.pl /Get-AppLockerConfig.ps1: -------------------------------------------------------------------------------- 1 | function Get-AppLockerConfig 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | This script is used to query the current AppLocker policy for a specified executable. 7 | 8 | Author: Matt Hand (@matterpreter) 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | Version: 1.0 12 | 13 | .DESCRIPTION 14 | 15 | This script is used to query the current AppLocker policy on the target and check the status of a user-defined executable or all executables in a path. 16 | 17 | .PARAMETER Executable 18 | 19 | Full filepath of the executable to test. This also supports wildcards (*) to test all executables in a directory. 20 | 21 | .PARAMETER User 22 | 23 | User to test the policy for. Default is "Everyone." 24 | 25 | .EXAMPLE 26 | 27 | Get-AppLockerStatus 'c:\windows\system32\calc.exe' 28 | Tests the AppLocker policy for calc.exe for "Everyone." 29 | 30 | Get-AppLockerStatus 'c:\users\jdoe\Desktop\*.exe' 'dguy' 31 | Tests the AppLocker policy for "dguy" against every file ending in ".exe" in jdoe's Desktop folder. 32 | 33 | #> 34 | Param( 35 | [Parameter(Mandatory=$true)] 36 | [string]$Executable, 37 | [string]$User = 'Everyone' 38 | ) 39 | 40 | if (-NOT (test-path $Executable)){ 41 | Write-Host "[-] Executable not found or you do not have access to it. Exiting..." 42 | Return 43 | } 44 | 45 | if (-NOT (Get-WmiObject Win32_UserAccount -Filter "LocalAccount='true' and Name='$User'")){ 46 | Write-Host "[-] User does not exist. Exiting..." 47 | Return 48 | } 49 | 50 | 51 | $AppLockerCheck = Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path $Executable -User $User 52 | $AppLockerStatus = $AppLockerCheck | Select-String -InputObject {$_.PolicyDecision} -Pattern "Allowed" 53 | 54 | if ($AppLockerStatus -Match 'Allowed') { $Result = "[+] $Executable - ALLOWED for $User!" } 55 | else { $Result = "[-] $Executable - BLOCKED for $USER"} 56 | 57 | $Result 58 | } 59 | -------------------------------------------------------------------------------- /Invoke-Mimidogz/README.md: -------------------------------------------------------------------------------- 1 | Currently detected by 29/58 AV engines (August 16, 2017): 2 | https://www.virustotal.com/#/file/ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f51d9a2a5bb/detection 3 | 4 | New version detected by 13/58 AV engines (August 16, 2017): 5 | https://www.virustotal.com/#/file/6497ca1dd32631055f787d35b79d7ae2f2a42f8601ccf56124ffc0f3efcb066d/detection 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # misc 2 | Collection of things I've written on pentests to make life easier. 3 | -------------------------------------------------------------------------------- /degregulator/README.md: -------------------------------------------------------------------------------- 1 | deregulator.py 2 | ============== 3 | This script allows a user to increase or decrease the power of their 4 | wireless radios by resetting the regulations associate with card and 5 | modifying the TX power. 6 | 7 | Usage: python deregulator.py interface_name power_in_dBm 8 | (ex. `python deregulator.py wlan1 30`) 9 | 10 | NOT FOR USE IN THE UNITED STATES! 11 | -------------------------------------------------------------------------------- /degregulator/deregulator.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | interface = str(sys.argv[1]) 5 | power = sys.argv[2] 6 | grab_pow = "iwconfig " + interface + ''' | grep Tx-Power | awk 'BEGIN {FS="=[ \t]*|/[ \t]*|:[ \t]*|[ \t]+"}{print $8 $9}' ''' 7 | 8 | old_pow = os.popen(grab_pow).read() 9 | print "[+] Starting inteface power: " + old_pow.strip() 10 | 11 | print "[+] Configuring the interface..." 12 | os.system("ifconfig " + interface + " down") #Take the interface down 13 | os.system("iw reg set BO") #Set the country code to Bolivia 14 | os.system("iwconfig " + interface + " txpower " + power) #Set the Tx-Power 15 | os.system("ifconfig " + interface + " up") #Bring the interface back up 16 | 17 | new_pow = os.popen(grab_pow).read() 18 | print "[+] New interface power: " + new_pow.strip() 19 | -------------------------------------------------------------------------------- /fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # fuzzing 2 | Random stuff I use for fuzzing. Mostly AFL and Sulley. 3 | 4 | afl-build.sh - Script to setup my AFL test bench on an Ubuntu 16.04 VM. Will likely need to be tweaked if anyone else will use it. 5 | 6 | afl-multi.sh - Script that creates 1 master and N slaves for single-system parallelization. Really useful for compute optimized AWS instances with tons of cores. 7 | 8 | boofuzz-ftp.py - Boofuzz FTP fuzzer. Used with vsftpd but works with any FTP server. -------------------------------------------------------------------------------- /fuzzing/afl-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### 3 | # Simple script to automatically build my AFL test bench. 4 | ### 5 | 6 | if [[ $EUID -ne 0 ]]; then 7 | echo "This script must be run as root" 8 | exit 1 9 | fi 10 | 11 | #Update and install needed applications if they're not already there. 12 | echo "[+] Updating system..." 13 | sed -i '/deb-src/s/^# *//' /etc/apt/sources.list 14 | apt-get update >>build.log 2>&1 15 | apt-get -y upgrade >>build.log 2>&1 16 | echo "[+] Installing required packages..." 17 | apt-get install -y wget build-essential clang screen vim python3 \ 18 | python3-setuptools gdb debootstrap libini-config-dev libtool-bin \ 19 | automake bison libglib2.0-dev qemu>>build.log 2>&1 20 | 21 | #Setup the system for AFL 22 | echo "[+] Installing latest AFL..." 23 | echo core >/proc/sys/kernel/core_pattern 24 | mkdir ~/testcases 25 | mkdir ~/findings 26 | mount -t ramfs -o size=512m ramfs ~/testcases 27 | 28 | #Download and install AFL 29 | rm afl-latest.tgz >>build.log 2>&1 30 | wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz >>build.log 2>&1 31 | tar xzvf afl-latest.tgz >>build.log 2>&1 32 | cd afl* 33 | make >>build.log 2>&1 34 | make install >>build.log 2>&1 35 | cd llvm_mode 36 | LLVM_CONFIG=llvm-config-3.8 make >>build.log 2>&1 37 | cd .. 38 | make install >>build.log 2>&1 39 | 40 | #Build out support for QEMU 41 | cd afl*/qemu_mode 42 | ./build_qemu_support.sh >>build.log 2>&1 43 | cd .. 44 | make install 45 | 46 | #Download and install afl-utils 47 | echo "[+] Installing afl-utils..." 48 | cd /opt 49 | git clone https://github.com/rc0r/afl-utils.git >>build.log 2>&1 50 | cd afl-utils 51 | python3 setup.py install >>build.log 2>&1 52 | echo "source /usr/lib/python3.5/site-packages/exploitable-1.32_rcor-py3.5.egg/exploitable/exploitable.py" >> ~/.gdbinit 53 | 54 | ##Create chroot 55 | #echo "[+] Creating chroot..." 56 | #mkdir afl && cd afl 57 | #debootstrap --variant=buildd xenial chroot http://mirror.math.princeton.edu/pub/ubuntu/ >>build.log 2>&1 58 | #mount -o bind /proc chroot/proc 59 | #mount -o bind /dev chroot/dev 60 | #mount -o bind /dev/pts chroot/dev/pts 61 | #mount -o bind /dev/ptmx chroot/dev/ptmx 62 | #cp /etc/resolv.conf chroot/etc/resolv.conf 63 | #cp /etc/apt/sources.list chroot/etc/apt/sources.list 64 | #chroot chroot/ apt-get update >>build.log 2>&1 65 | #chroot chroot/ apt-get upgrade -y >>build.log 2>&1 66 | #chroot chroot/ apt-get install vim screen -y >>build.log 2>&1 67 | #chroot chroot/ apt-get install build-essential -y >>build.log 2>&1 68 | #cp afl-latest.tgz chroot/root 69 | 70 | #Download and install PEDA 71 | echo "[+] Installing PEDA..." 72 | git clone https://github.com/longld/peda.git ~/peda >>build.log 2>&1 73 | echo "source ~/peda/peda.py" >> ~/.gdbinit 74 | 75 | echo "[+] AFL Test Bench ready to go!" 76 | echo "afl-gcc location: "$(which afl-gcc) 77 | -------------------------------------------------------------------------------- /fuzzing/afl-multi.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script will build out one master and a specified number of AFL slave 3 | # instances inside of screen sessions. 4 | # Example usage: 5 | # ./afl-multi.sh -n 32 -i /root/testcases -o /root/syncdir -c "tcpdump -nr @@" 6 | # 7 | # Author: Matt Hand (@matterpreter) 8 | 9 | usage() { 10 | echo "Usage: $0 " 1>&2 11 | echo " -n = Number of AFL jobs to create (2 to 64)" 1>&2 12 | echo " -i = Directory containing your testcase(s)" 1>&2 13 | echo " -o = Location of your empty output directory" 1>&2 14 | echo ' -c = Command to run AFL against in quotes (ex. "tcpdump -nr @@")' 1>&2 15 | exit 1 16 | } 17 | 18 | build () { 19 | echo "[*] Initiating build of $instances fuzzers running 'afl-fuzz -i $testcases -o $syncdir $afl_command'" 20 | echo "[*] Creating master instance" 21 | screen -S master -d -m afl-fuzz -i /root/testcases/ -o /root/syncdir/ -M master $afl_command 22 | # Added in the sleep timers to help control random crashes on startup 23 | sleep 5 24 | for ((i=1;i 4 | More info: http://matterpreter.com/advanced-email-phishing-tactics-revisited/
5 |
6 | Usage: `./htmlmailer.py -t recipient_list -m HTML_message_template` 7 | -------------------------------------------------------------------------------- /htmlmailer/htmlmailer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | import smtplib 4 | import MimeWriter 5 | import mimetools 6 | import getpass 7 | import cStringIO 8 | import base64 9 | from optparse import OptionParser 10 | 11 | ####REQUIRED TO BE CHANGED BY USER!#### 12 | #Server variables 13 | host = '' #Most accounts must be verified before sending email through! 14 | port = '' #Try 25, 587, or 465 15 | subject = "" #Subject of the message 16 | ###################################### 17 | 18 | #Setup arguments 19 | usage = "Usage: %prog -m -t " 20 | parser = OptionParser(usage=usage) 21 | parser.add_option('-m', '--message', dest='message_file', type='string', \ 22 | help='File with the body of the message you want to send.') 23 | parser.add_option('-t', '--recipient', dest='recipient_file', type='string', \ 24 | help='File with a list of emails you want to send the message to.') 25 | (opts, args) = parser.parse_args() 26 | message_file = opts.message_file 27 | recipient_file = opts.recipient_file 28 | if len(sys.argv) < 2: 29 | parser.print_help() 30 | sys.exit(1) 31 | 32 | def createhtmlmail(subject, message_file, recipient): 33 | f = open(message_file, 'r') 34 | nonunique = f.read() 35 | f.close() 36 | unique = nonunique.replace("$IDENTIFIER$", base64.b64encode(recipient)) 37 | out = cStringIO.StringIO() 38 | htmlin = cStringIO.StringIO(unique) 39 | writer = MimeWriter.MimeWriter(out) 40 | writer.addheader("To", recipient) 41 | writer.addheader("Subject", subject) 42 | writer.addheader("MIME-Version", "1.0") 43 | writer.startmultipartbody("alternative") 44 | writer.flushheaders() 45 | subpart = writer.nextpart() 46 | subpart.addheader("Content-Transfer-Encoding", "quoted-printable") 47 | pout = subpart.startbody("text/html", [("charset", 'us-ascii')]) 48 | mimetools.encode(htmlin, pout, 'quoted-printable') 49 | htmlin.close() 50 | writer.lastpart() 51 | msg = out.getvalue() 52 | out.close() 53 | return msg 54 | 55 | if __name__=="__main__": 56 | user = raw_input("Please provide the username: ") #Typically the full sender address 57 | passw = getpass.getpass("Please provide the password for " + user + ": ") 58 | server = smtplib.SMTP(host, port) 59 | # server.set_debuglevel(1) #Uncomment to turn on debugging 60 | server.ehlo() 61 | server.starttls() 62 | server.login(user, passw) 63 | with open(recipient_file) as r: 64 | for recipient in r: 65 | message = createhtmlmail(subject, message_file, recipient) 66 | try: 67 | server.sendmail(user, recipient, message) 68 | print "[+] Successfully sent email to " + recipient 69 | except smtplib.SMTPException as e: 70 | print "[!] Error: unable to send email to " + recipient 71 | print e 72 | server.quit() 73 | -------------------------------------------------------------------------------- /type7decrypt.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # Stolen from Alex @ www.question-defense.com 3 | 4 | use File::Copy; 5 | 6 | ############################################################################ 7 | # Vigenere translation table 8 | ############################################################################ 9 | @V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 10 | 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 11 | 0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39, 12 | 0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33, 13 | 0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37); 14 | ############################################################################ 15 | 16 | ############################################################################ 17 | # Usage guidelines 18 | ############################################################################ 19 | if ($ARGV[0] eq ""){ 20 | print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.\n"; 21 | print "\n"; 22 | print "Usage guidelines:\n"; 23 | print " type7decrypt.pl 04480E051A33490E # Reveals a single password\n"; 24 | print " type7decrypt.pl running-config.rcf # Changes all passwords in a file to cleartext\n"; 25 | print " # Original file stored with .bak extension\n"; 26 | } 27 | 28 | ############################################################################ 29 | # Process arguments and execute 30 | ############################################################################ 31 | if(open(F,"<$ARGV[0]")){ # If argument passed can be opened then convert a file 32 | open(FO,">cdcout.rcf") || die("Cannot open 'cdcout.rcf' for writing ($!)\n"); 33 | while(){ 34 | if (/(.*password\s)(7\s)([0-9a-fA-F]{4,})/){ # Find password commands 35 | my $d=Decrypt($3); # Deobfuscate passwords 36 | s/(.*password\s)(7\s)([0-9a-fA-F]{4,})/$1$d/; # Remove '7' and add cleartext password 37 | } 38 | print FO $_; 39 | } 40 | close(F); 41 | close(FO); 42 | copy($ARGV[0],"$ARGV[0].bak")||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'"); 43 | copy("cdcout.rcf",$ARGV[0])||die("Cannot copy '$ARGV[0]' to '$ARGV[0].bak'"); 44 | unlink "cdcout.rcf"; 45 | }else{ # If argument passed cannot be opened it is a single password 46 | print Decrypt($ARGV[0]) . "\n"; 47 | } 48 | 49 | ############################################################################ 50 | # Vigenere decryption/deobfuscation function 51 | ############################################################################ 52 | sub Decrypt{ 53 | my $pw=shift(@_); # Retrieve input obfuscated password 54 | my $i=substr($pw,0,2); # Initial index into Vigenere translation table 55 | my $c=2; # Initial pointer 56 | my $r=""; # Variable to hold cleartext password 57 | while ($c