byt3bl33d3r

{
        # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(proxy_upstream) {
        # Enable access logging to STDOUT
        log
        
        # This is our list of naughty client User Agents that we don't want accessing our C2

byt3bl33d3r

#! /usr/bin/env python3

'''
    Needs Requests (pip3 install requests)

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)

    
    This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

byt3bl33d3r

<#
References:
    - https://docs.microsoft.com/en-us/dotnet/api/system.net.websockets.clientwebsocket?view=netframework-4.5
    - https://github.com/poshbotio/PoshBot/blob/master/PoshBot/Implementations/Slack/SlackConnection.ps1
    - https://www.leeholmes.com/blog/2018/09/05/producer-consumer-parallelism-in-powershell/
#>

$client_id = [System.GUID]::NewGuid()

$recv_queue = New-Object 'System.Collections.Concurrent.ConcurrentQueue[String]'

byt3bl33d3r

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

byt3bl33d3r

/*

Requires reference to System.Web.Extensions

*/

using System;
using System.Collections.Concurrent;
using System.Web.Script.Serialization;
using System.Text;

byt3bl33d3r

# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address
# See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key

static_host_map:
  "192.168.100.1": ["<LIGHTHOUSE_IP>:4242"]

byt3bl33d3r

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, padding
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from secrets import token_bytes


class DiffieHellman:
    def __init__(self):

byt3bl33d3r

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

byt3bl33d3r

from logger import capturer
from typing import Optional
from fastapi import FastAPI

app = FastAPI()

@app.get("/logs")
async def get_logs(event_name: Optional[str] = None):

    if not event_name:

byt3bl33d3r

from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup