Skip to content

Instantly share code, notes, and snippets.

View cephurs's full-sized avatar

cephurs

146 followers · 1.3k following
View GitHub Profile
@cephurs
cephurs / floss-lite.py
Created May 26, 2018 03:15 — forked from williballenthin/floss-lite.py
#!/usr/bin/env python3
'''
A simplified FLOSS implementation that only supports stackstrings.
requirements:
- yara-python
- unicorn
author: Willi Ballenthin
email: [email protected]
@cephurs
cephurs / pamcam
Created March 22, 2018 18:12 — forked from misterch0c/pamcam
Take a screenshot when someone enters a wrong password
#/etc/pam.d/system-auth
#%PAM-1.0
# Jump two rules if login succeeds.
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth optional pam_exec.so /home/pamcam.sh
auth requisite pam_deny.so
# User gets here if authentication is successful. No denying, no cam module.
auth required pam_unix.so try_first_pass nullok
@cephurs
cephurs / vb-ref.md
Created March 7, 2018 17:29 — forked from williballenthin/vb-ref.md
@cephurs
cephurs / r2retdec.py
Created February 17, 2018 21:55 — forked from thestr4ng3r/r2retdec.py
import r2pipe
import os
from subprocess import run
retdec_exec = "retdec-decompiler.sh"
r2 = r2pipe.open()
filepath = r2.cmdj("ij")["core"]["file"]
@cephurs
cephurs / client.ps1
Created January 25, 2018 19:59
TLS C2
function Get-PublicKey
{
[OutputType([byte[]])]
PARAM (
[Uri]$Uri
)
if (-Not ($uri.Scheme -eq "https"))
{
Write-Error "You can only get keys for https addresses"
@cephurs
cephurs / InterceptorThing.ps1
Created January 24, 2018 18:39
Interceptor - Normal User No Admin Required.
<#
.SYNOPSIS
This script demonstrates the ability to capture and tamper with Web sessions.
For secure sessions, this is done by dynamically writing certificates to match the requested domain.
This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack.
Function: Interceptor
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@cephurs
cephurs / script.ps1
Created January 24, 2018 08:13
Hooking MessageBox For No-Prompt Trusted Root Certificate Install
#Verify Not Present
( Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
#Import-Certificate
( Get-ChildItem -Path C:\Test\thing.cer ) | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
#Prompted
Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99
@cephurs
cephurs / google-dorks
Created January 13, 2018 03:35 — forked from clarketm/google-dorks
Listing of a number of useful Google dorks.
" _ _ "
" _ /|| . . ||\ _ "
" ( } \||D ' ' ' C||/ { % "
" | /\__,=_[_] ' . . ' [_]_=,__/\ |"
" |_\_ |----| |----| _/_|"
" | |/ | | | | \| |"
" | /_ | | | | _\ |"
It is all fun and games until someone gets hacked!
@cephurs
cephurs / PSReflect-RegKeyFixer.ps1
Created January 3, 2018 13:55 — forked from brianreitz/PSReflect-RegKeyFixer.ps1
A port of Joakim Schicht's RegKeyFixer using PSReflect. Will find and delete "hidden" value entries created by PSReflect-RegHide.ps1
# A port of Joakim Schicht's RegKeyFixer in PowerShell.
# https://github.com/jschicht/RegKeyFixer
#
# This script will recursively search keys starting from the Keyname
# for any value entry names with null characters
# Example usage:
# $SID = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
# $KeyName = "\Registry\User\$SID\SOFTWARE\Microsoft\Windows\CurrentVersion"
# $Results = Get-HiddenNames -KeyName $KeyName
# $Results | Remove-HiddenNames
@cephurs
cephurs / PSReflect-RegHide.ps1
Created January 3, 2018 13:54 — forked from brianreitz/PSReflect-RegHide.ps1
PowerShell script to hide a Run key like Reghide/Kovter/Poweliks
# requires PSReflect.ps1 to be in the same directory as this script
. .\PSReflect.ps1
$Module = New-InMemoryModule -ModuleName RegHide
# Define our structs.
# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
# typedef struct _UNICODE_STRING {
# USHORT Length;
# USHORT MaximumLength;