Links describing the leaked EQ Group tools for Windows
Repositories and ports
-
Lost in Translation - A repository of the leaked tools
-
MS17-010 - Port of some of the exploits to Windows 10
Marcello byt3bl33d3r
byt3bl33d3r
/ google_lure.py
Created
December 1, 2022 01:08
— forked from ustayready/google_lure.py
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
View google_lure.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import print_function | |
| import pickle | |
| import os.path | |
| from googleapiclient.discovery import build | |
| from google_auth_oauthlib.flow import InstalledAppFlow | |
| from google.auth.transport.requests import Request | |
| from apiclient import errors | |
| import re | |
| from bs4 import BeautifulSoup as Soup |
byt3bl33d3r
/ tcpdump.py
Created
September 5, 2022 13:02
— forked from gteissier/tcpdump.py
Pythonic tcpdump: copy, paste, and enjoy
View tcpdump.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| It has been tested with either py2 or py3. | |
| Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK | |
| or the memory mapped ring buffer. | |
| BPF filter listed below is compiled form of "not port 22" | |
| if you want to change it, do something like |
byt3bl33d3r
/ index.ts
Last active
August 3, 2022 05:16
HonoJS Redirector - https://byt3bl33d3r.substack.com/publish/post/66929654
View index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import { Hono } from "hono"; | |
| const app = new Hono() | |
| app.get('/', async (c) => { | |
| const bad_user_agent_array = ['curl', 'httpie'] | |
| const user_agent = c.req.header('User-Agent') | |
| const ip = c.req.header("CF-Connecting-IP") |
byt3bl33d3r
/ sccmdecryptpoc.cs
Created
July 4, 2022 14:45
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
View api.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from logger import capturer | |
| from typing import Optional | |
| from fastapi import FastAPI | |
| app = FastAPI() | |
| @app.get("/logs") | |
| async def get_logs(event_name: Optional[str] = None): | |
| if not event_name: |
byt3bl33d3r
/ log4j_rce_check.py
Created
December 10, 2021 06:02
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
View log4j_rce_check.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env python3 | |
| ''' | |
| Needs Requests (pip3 install requests) | |
| Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
| License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
| This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. |
byt3bl33d3r
/ manager-config.yml
Created
November 14, 2021 19:05
Nebula configuraton files for docker swarm manager and worker nodes
View manager-config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address | |
| # See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml | |
| pki: | |
| ca: /etc/nebula/ca.crt | |
| cert: /etc/nebula/host.crt | |
| key: /etc/nebula/host.key | |
| static_host_map: | |
| "192.168.100.1": ["<LIGHTHOUSE_IP>:4242"] |
byt3bl33d3r
/ EQgroup.md
Created
October 17, 2021 09:36
— forked from bontchev/EQgroup.md
Curated list of links describing the leaked Equation Group tools for Windows
View EQgroup.md
byt3bl33d3r
/ mainc.c
Created
October 2, 2021 21:22
— forked from jackullrich/mainc.c
Single Step Encryption/Decryption
View mainc.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo); | |
| typedef VOID(__stdcall* Shellcode)(); | |
| LPBYTE ShellcodeBuffer; | |
| ULONG_PTR PreviousOffset; | |
| ULONG_PTR CurrentOffset; | |
| ULONGLONG InstructionCount; | |
| DWORD dwOld; |
byt3bl33d3r
/ Caddyfile
Last active
May 22, 2023 14:05
Caddyfile reverse proxy example for C2 platforms
View Caddyfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
| acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
| } | |
| (proxy_upstream) { | |
| # Enable access logging to STDOUT | |
| log | |
| # This is our list of naughty client User Agents that we don't want accessing our C2 |
NewerOlder