Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.
Jeff McJunkin jeffmcjunkin
singe
/ hashcat_maskgen.sh
Created
April 17, 2023 11:16
Generate a list of hashcat masks from a wordlist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # hashcat mask generator | |
| # by @singe | |
| infile="$1" | |
| outfile="$1.freq.masks" | |
| outfile2="$1.length.masks" | |
| tmp=$(mktemp) |
monoxgas
/ urbandoor.cs
Created
April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
nasbench
/ pwsh_dirty_words.yml
Last active
March 19, 2025 19:57
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: System.Management.Automation.dll | |
| # This list is used to determin if a ScriptBlock contains potential suspicious content | |
| # If a match is found an automatic 4104 with a "warning" level is generated. | |
| # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs | |
| - "Add-Type" | |
| - "AddSecurityPackage" | |
| - "AdjustTokenPrivileges" | |
| - "AllocHGlobal" | |
| - "BindingFlags" | |
| - "Bypass" |
nullenc0de
/ 365doms.py
Created
February 23, 2023 01:37
modified from https://github.com/expl0itabl3/check_mdi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Python script to enumerate valid Microsoft 365 domains, retrieve tenant name, and check for an MDI instance. | |
| Based on: https://github.com/thalpius/Microsoft-Defender-for-Identity-Check-Instance. | |
| Usage: ./check_mdi.py -d <domain> | |
| """ | |
| import argparse | |
| import dns.resolver |
rqu1
/ pan-oracle.py
Last active
February 15, 2024 19:00
0day padding oracle in PAN master key decryption
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import paramiko | |
| import sys | |
| import requests | |
| pad=lambda n: '\0'*(n+1)+(chr(16-n)*(16-n-1)) | |
| block_xor=lambda x,y: ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y)) | |
| byte_xor=lambda x,y,z: x[:y]+chr(ord(x[y])^z)+x[y+1:] | |
| set_pad=lambda x,n: block_xor(pad(n), x) | |
| def formatData(d): |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
singe
/ inplace-maskgen.sh
Last active
April 19, 2023 17:37
Convert clear passwords into slightly more generalised brute force masks for hashcat mode -a3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| file="$1" | |
| tmp=$(mktemp) | |
| # change specials & digits to hashcat format | |
| sed -e "s/[[:punct:]]/?s/g" \ | |
| -e "s/[[:digit:]]/?d/g" \ | |
| $file \ | |
| > $tmp \ | |
| && \ |
Purp1eW0lf
/ Sysmon_Lab.ps1
Last active
December 16, 2024 16:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2022 March 28th | |
| Updated: 2023 October 6th | |
| Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
| #> | |
| ################################################################################################################ |
EvanMcBroom
/ sms-crypto-unobfuscate-string.c
Last active
January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Research by Evan McBroom and Chris Thompson (@_Mayyhem) | |
| * Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered. | |
| * Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/ | |
| * Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code. | |
| */ | |
| #include <Windows.h> | |
| #include <stdio.h> |