Skip to content

Instantly share code, notes, and snippets.

View dtmsecurity's full-sized avatar

@dtmsecurity dtmsecurity

42 followers · 4 following
View GitHub Profile
@dtmsecurity
dtmsecurity / mscache.py
Created October 24, 2017 10:16
Needed a dirty way to convert mimikatz output for mscache to hashcat
import sys
import re
# .\hashcat64.exe -m 2100 .\inhash.txt .\rockyou.txt
if len(sys.argv[1]) > 0:
fh = open(str(sys.argv[1]),"r")
lines = fh.readlines()
fh.close()
@dtmsecurity
dtmsecurity / netbios_encode.py
Created August 7, 2018 10:29
NETBIOS encode/decode
# Implemented the reverse of the compact answer on:
# https://stackoverflow.com/questions/1965065/encode-netbios-name-python/1965140
def netbios_encode(input_string):
return ''.join([chr((ord(c)>>4)+ord('A'))+chr((ord(c)&0xF)+ord('A')) for c in input_string])
def netbios_decode(netbios):
i = iter(netbios.upper())
try:
return ''.join([chr(((ord(c)-ord('A'))<<4)+((ord(next(i))-ord('A'))&0xF)) for c in i])
@dtmsecurity
dtmsecurity / doh_test.sh
Last active December 1, 2022 16:38
DNS over HTTPS (DoH) Resolver GET Test Script
#!/bin/bash
printf "===START dns.google.com===\n"
curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
printf "\n===END dns.google.com===\n"
printf "===START cloudflare-dns.com===\n"
curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
printf "\n===END cloudflare-dns.com===\n"
printf "===START 1.1.1.1===\n"
curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
printf "\n===END 1.1.1.1===\n"
@dtmsecurity
dtmsecurity / getStager.py
Created November 8, 2018 07:40
Simple test script to get a stager from Cobalt Strike External C2
import socket
import struct
def recv_frame(sock):
try:
chunk = sock.recv(4)
except:
return("")
if len(chunk) < 4:
return()
@dtmsecurity
dtmsecurity / sharpgen.cna
Created November 8, 2018 16:34
SharpGen Aggressor Beacon Wrapper
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");
alias sharpgen{
$executionId = "sharpgen_" . int(rand() * 100000);
$temporaryCsharp = $temppath . $executionId . ".cs";
$executableFilename = $temppath . $executionId . ".exe";
@dtmsecurity
dtmsecurity / goldfermi.py
Created July 27, 2020 07:41
Integrate URLs scraped from liked tweets and Notion using the unofficial API
import urllib
from bs4 import BeautifulSoup
import tweepy
from urlextract import URLExtract
from notion.client import NotionClient
from notion.block import TodoBlock, BookmarkBlock
import os
from unshortenit import UnshortenIt
@dtmsecurity
dtmsecurity / SPNs.qds
Created August 14, 2020 09:27
Find user accounts with servicePrincipalName attribute set in native QDS file
[CommonQuery]
Handler=5EE6238AC231D011891C00A024AB2DBBC1
Form=E33FEE83D957D011B93200A024AB2DBBE6
[DsQuery]
ViewMode=0413000017
EnableFilter=0000000000
[Microsoft.PropertyWell]
Items=0000000000
QueryStringLength=4500000045
QueryStringValue=2800260028006F0062006A0065006300740043006C006100730073003D007500730065007200290028006F0062006A00650063007400430061007400650067006F00720079003D0070006500720073006F006E0029002900280073006500720076006900630065005000720069006E0063006900700061006C004E0061006D0065003D002A0029000000D7
@dtmsecurity
dtmsecurity / ISeeSharpProcess.cs
Created December 1, 2020 18:01
ISeeSharpProcess
using System;
using System.Diagnostics;
namespace ISeeSharpProcess
{
class Program
{
// Port of https://gist.github.com/mubix/1536156f06633a54e7f1f819d7fa740a
static void GetCSharpProcess()
{