Marcello byt3bl33d3r
🧛
byt3bl33d3r
/ Caddyfile
Last active
October 6, 2023 23:38
Caddyfile reverse proxy example for C2 platforms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
| acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
| } | |
| (proxy_upstream) { | |
| # Enable access logging to STDOUT | |
| log | |
| # This is our list of naughty client User Agents that we don't want accessing our C2 |
byt3bl33d3r
/ manager-config.yml
Created
November 14, 2021 19:05
Nebula configuraton files for docker swarm manager and worker nodes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address | |
| # See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml | |
| pki: | |
| ca: /etc/nebula/ca.crt | |
| cert: /etc/nebula/host.crt | |
| key: /etc/nebula/host.key | |
| static_host_map: | |
| "192.168.100.1": ["<LIGHTHOUSE_IP>:4242"] |
byt3bl33d3r
/ eventvwr_crash.py
Created
September 18, 2020 08:12
Crash the Windows Event Log service remotely (needs admin privs)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Crash the Windows Event Log Service remotely, needs Admin privs | |
| # originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r | |
| # | |
| # Once the service crashes 3 times it will not restart for 24 hours | |
| # | |
| # https://github.com/limbenjamin/LogServiceCrash | |
| # https://limbenjamin.com/articles/crash-windows-event-logging-service.html | |
| # | |
| # Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from logger import capturer | |
| from typing import Optional | |
| from fastapi import FastAPI | |
| app = FastAPI() | |
| @app.get("/logs") | |
| async def get_logs(event_name: Optional[str] = None): | |
| if not event_name: |
byt3bl33d3r
/ raw2ps_shellcode.py
Created
September 13, 2015 12:12
Converts raw shellcode to a PowerShell compatible byte array (helpful when using custom shellcode with Invoke-Shellcode.ps1)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| ps_shellcode = '@(' | |
| with open(sys.argv[1], 'rb') as shellcode: | |
| byte = shellcode.read(1) | |
| while byte != '': | |
| ps_shellcode += '0x{}, '.format(byte.encode('hex')) | |
| byte = shellcode.read(1) |
byt3bl33d3r
/ tcpdump.py
Created
September 5, 2022 13:02
— forked from gteissier/tcpdump.py
Pythonic tcpdump: copy, paste, and enjoy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| It has been tested with either py2 or py3. | |
| Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK | |
| or the memory mapped ring buffer. | |
| BPF filter listed below is compiled form of "not port 22" | |
| if you want to change it, do something like |
byt3bl33d3r
/ index.ts
Last active
August 3, 2022 05:16
HonoJS Redirector - https://byt3bl33d3r.substack.com/publish/post/66929654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import { Hono } from "hono"; | |
| const app = new Hono() | |
| app.get('/', async (c) => { | |
| const bad_user_agent_array = ['curl', 'httpie'] | |
| const user_agent = c.req.header('User-Agent') | |
| const ip = c.req.header("CF-Connecting-IP") |
byt3bl33d3r
/ sccmdecryptpoc.cs
Created
July 4, 2022 14:45
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
byt3bl33d3r
/ hookdetector.vba
Created
December 8, 2020 17:45
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
byt3bl33d3r
/ Out-CompressedDll.nim
Last active
April 10, 2022 17:33
Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[ | |
| Requires the zippy library ("nimble install zippy") | |
| References: | |
| - https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/core/teamserver/utils.py#L22 | |
| - https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1 | |
| ]# | |
| import zippy/[inflate, deflate] | |
| import base64 |