Skip to content

Instantly share code, notes, and snippets.

View ffcommax's full-sized avatar
:octocat:

ffcommax

:octocat:
3 followers · 10 following
View GitHub Profile
@ffcommax
ffcommax / Web_Triks.txt
Last active March 13, 2022 16:52
Web_Triks
BurpJSLinkFinder
viewdns
ip histry
b dir
meg
dirsearch
@ffcommax
ffcommax / advisories.txt
Created January 18, 2022 12:46
advisories
https://www.checkpoint.com/advisories/
https://www.zerodayinitiative.com/advisories/published/
https://github.com/nomi-sec
@ffcommax
ffcommax / user_logon_logs.txt
Created January 18, 2022 07:15
user logon logs
how to get user logon logs
Get-EventLog -LogName security -InstanceId 4625 -After ((Get-Date).AddDays(-100)) | Select-Object -Property timegenerated, @{n="AccountName";e = {$.replacementstrings[5]}}, @{n="AccountDomain";e = {$.replacementstrings[6]}}, @{n="WorkstationName" ; e = {$_.replacementstrings[19]}} | export-csv c:\users\public\logs.csv
@ffcommax
ffcommax / Sharepoint.txt
Created January 9, 2022 18:50
Sharepoint
https://github.com/H0j3n/EzpzSharepoint
@ffcommax
ffcommax / Simple_Port_scanner.ps1
Created December 4, 2021 18:07
Simple_Port_scanner
1..255 | % { $a = $_; 135,389,3389,445,5986 | % {"10.0.61.$a";echo ((new-object Net.Sockets.TcpClient).Connect("10.0.61.$a",$_)) "Port $_ is open!"} 2>$null}
@ffcommax
ffcommax / Authenticated Remote Code Execution Methods in Windows.txt
Created December 4, 2021 18:07
Authenticated Remote Code Execution Methods in Windows
1. Service Control Manager (SCM)
This method is used by psexec and all of its clones to start the executable that psexec creates.
Result:
A command to be run on demand and/or boot as SYSTEM (or less privileged accounts, but why would you do that?).
Example:
step 1/2; a new service can be created:
sc REMOTECOMPUTERNAME create myservicename binPath= executableToRun start= auto
alternatively, an existing service can be reconfigured:
sc REMOTECOMPUTERNAME config existingservice binPath= executableToRun start= auto
step 2/2; executableToRun will run on the remote system on boot as SYSTEM, or when instructed by:
@ffcommax
ffcommax / rdphistory.ps1
Created November 29, 2021 18:17
rdphistory
$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
$Results = @()
$Events = Get-WinEvent -LogName $LogName
foreach ($Event in $Events) {
$EventXml = [xml]$Event.ToXML()
$ResultHash = @{
Time = $Event.TimeCreated.ToString()
'Event ID' = $Event.Id
'Desc' = ($Event.Message -split "`n")[0]
@ffcommax
ffcommax / EWS_Brut.py
Created November 28, 2021 19:16
EWS_Brut
#https://github.com/0x0021h/expbox
#!/usr/bin/python
import socket, time
import http.client as httplib
import requests
import urllib
import os, ssl
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
@ffcommax
ffcommax / Microsoft Office Product Spawning Windows Shell.yml
Created November 8, 2021 13:20
Microsoft Office Product Spawning Windows Shell
title: Microsoft Office Product Spawning Windows Shell
id: 438025f9-5856-4663-83f7-52f878a70a50
status: experimental
description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
tags:
- attack.execution
- attack.t1204 # an old one
@ffcommax
ffcommax / Pentest-Tools Good
Created October 31, 2021 13:14
Pentest-Tools Good
https://github.com/S3cur3Th1sSh1t/Pentest-Tools