Frank Spierings FrankSpierings

## pretty_print_ntlm_impacket.py
import datetime
import json
from impacket.structure import Structure
from enum import Flag, Enum


class NegotiateFlags(Flag):
    NTLMSSP_NEGOTIATE_56                       = 0x80000000
    NTLMSSP_NEGOTIATE_KEY_EXCH                 = 0x40000000
    NTLMSSP_NEGOTIATE_128                      = 0x20000000

## mitmproxy-http-ntlm.py
from mitmproxy import http, ctx
from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3
import requests
import logging
import base64

username = "username"
password = "password"
domain = ''

## http-ntlm.py
from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3
import requests
import base64

# Replace these values with your IIS server details
target_url = "http://localhost"
username = "username"
password = "password"
domain = ''

## deploy-applocker.ps1
# Requires system privileges!
# Thank you: https://github.com/sandytsang/MSIntune/blob/master/Intune-PowerShell/AppLocker/Delete-AppLockerEXE.ps1

$path = "<PATH TO APPLOCKER XML'S>"

$xmls = (ls -filter '*.xml' $path |% {$_.FullName})

$Appx, $Dll, $Exe, $Msi, $Script = $null

$xmls |% {

## client-desync-error-path.bcheck
metadata:
    language: v1-beta
    name: "Potential Client-Side Desync on erroneous path"
    description: "Tests for Client-Side Desync vulnerabilities on specifically erroneous paths"
    author: "Frank Spierings"

run for each:
    potential_path =
        "/..%2f",
        "/%2e%2e",

## BurpCAMagiskRooted.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                FrankSpierings
                / BurpCAMagiskRooted.md
            
            
              Created
              July 25, 2022 10:08
            
              
                Install Burp CA Certificate on Magisk Rooted Device
              
          
    Magisk Module


Use the modified Magisk module to install the certificate in both the user and the system store.

git clone https://github.com/Magisk-Modules-Repo/movecert.git

Apply cp patch
Magisk-Modules-Repo/movecert#16


## lab-request-smuggling-h2-request-splitting-via-crlf-injection-solution.py
# Thanks to h2 for the example code and thanks to Portswigger for the awesome free labs!
# - https://python-hyper.org/projects/h2/en/stable/plain-sockets-example.html
# - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection
#
import socket
import ssl

import h2.connection
import h2.events

## dinvoke-shellcode.cs
/*
    - Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe
    - Reference (Thanks!) : https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
*/
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;

## Invoke-SQLCmd.ps1
function Invoke-SQLCmd {
    param(
        [Parameter(Mandatory=$True)]
        [string] $Server,
        [Parameter(Mandatory=$True)]
        [string] $Database,
        [Parameter(Mandatory=$True)]
        [string] $Query
    );

## sharpshooter-hta.diff
diff --git a/SharpShooter.py b/SharpShooter.py
index 9b10de1..50cece0 100644
--- a/SharpShooter.py
+++ b/SharpShooter.py
@@ -286,7 +286,7 @@ End Sub"""
                 raise Exception

             if(payload_type == 1):
-                if(args.comtechnique):
+                if(args.comtechnique or args.dotnetver == str(4)):
	import datetime
	import json
	from impacket.structure import Structure
	from enum import Flag, Enum


	class NegotiateFlags(Flag):
	NTLMSSP_NEGOTIATE_56 = 0x80000000
	NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000
	NTLMSSP_NEGOTIATE_128 = 0x20000000
	from mitmproxy import http, ctx
	from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3
	import requests
	import logging
	import base64

	username = "username"
	password = "password"
	domain = ''
	# Requires system privileges!
	# Thank you: https://github.com/sandytsang/MSIntune/blob/master/Intune-PowerShell/AppLocker/Delete-AppLockerEXE.ps1

	$path = "<PATH TO APPLOCKER XML'S>"

	$xmls = (ls -filter '*.xml' $path \|% {$_.FullName})

	$Appx, $Dll, $Exe, $Msi, $Script = $null

	$xmls \|% {
	metadata:
	language: v1-beta
	name: "Potential Client-Side Desync on erroneous path"
	description: "Tests for Client-Side Desync vulnerabilities on specifically erroneous paths"
	author: "Frank Spierings"

	run for each:
	potential_path =
	"/..%2f",
	"/%2e%2e",
	# Thanks to h2 for the example code and thanks to Portswigger for the awesome free labs!
	# - https://python-hyper.org/projects/h2/en/stable/plain-sockets-example.html
	# - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection
	#
	import socket
	import ssl

	import h2.connection
	import h2.events
	/*
	- Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe
	- Reference (Thanks!) : https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
	*/
	using System;
	using System.Runtime.InteropServices;
	using System.Diagnostics;
	using System.ComponentModel;
	using Microsoft.Win32;
	function Invoke-SQLCmd {
	param(
	[Parameter(Mandatory=$True)]
	[string] $Server,
	[Parameter(Mandatory=$True)]
	[string] $Database,
	[Parameter(Mandatory=$True)]
	[string] $Query
	);
	diff --git a/SharpShooter.py b/SharpShooter.py
	index 9b10de1..50cece0 100644
	--- a/SharpShooter.py
	+++ b/SharpShooter.py
	@@ -286,7 +286,7 @@ End Sub"""
	raise Exception

	if(payload_type == 1):
	- if(args.comtechnique):
	+ if(args.comtechnique or args.dotnetver == str(4)):