Skip to content

Instantly share code, notes, and snippets.

View byt3bl33d3r's full-sized avatar

Marcello byt3bl33d3r

View GitHub Profile
byt3bl33d3r / Caddyfile
Last active September 1, 2023 15:52
Caddyfile reverse proxy example for C2 platforms
View Caddyfile
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
(proxy_upstream) {
# Enable access logging to STDOUT
# This is our list of naughty client User Agents that we don't want accessing our C2
byt3bl33d3r /
Created December 10, 2021 06:02
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (
#! /usr/bin/env python3
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
byt3bl33d3r / ws.ps1
Last active August 14, 2023 16:48
Async Websocket PowerShell client (producer/consumer pattern)
View ws.ps1
$client_id = [System.GUID]::NewGuid()
$recv_queue = New-Object 'System.Collections.Concurrent.ConcurrentQueue[String]'
byt3bl33d3r /
Last active July 21, 2023 13:07
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
byt3bl33d3r / websockets.cs
Created August 31, 2020 19:41
Async websocket C# client (producer/consumer pattern)
View websockets.cs
Requires reference to System.Web.Extensions
using System;
using System.Collections.Concurrent;
using System.Web.Script.Serialization;
using System.Text;
byt3bl33d3r / manager-config.yml
Created November 14, 2021 19:05
Nebula configuraton files for docker swarm manager and worker nodes
View manager-config.yml
# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address
# See the example config file to know what all of these options do
ca: /etc/nebula/ca.crt
cert: /etc/nebula/host.crt
key: /etc/nebula/host.key
"": ["<LIGHTHOUSE_IP>:4242"]
byt3bl33d3r /
Created October 13, 2018 02:55
ECDH Encrypted Key Exchange (Python 3.6+)
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, padding
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from secrets import token_bytes
class DiffieHellman:
def __init__(self):
byt3bl33d3r /
Created September 18, 2020 08:12
Crash the Windows Event Log service remotely (needs admin privs)
# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
# Once the service crashes 3 times it will not restart for 24 hours
# Needs the impacket library (
byt3bl33d3r /
Last active March 15, 2023 23:46
Structured logging and event capture
from logger import capturer
from typing import Optional
from fastapi import FastAPI
app = FastAPI()
async def get_logs(event_name: Optional[str] = None):
if not event_name:
byt3bl33d3r /
Created December 1, 2022 01:08 — forked from ustayready/
Generate phishing lures that exploit open-redirects from using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup