@dtmsecurity dtmsecurity

## ISeeSharpProcess.cs
using System;
using System.Diagnostics;

namespace ISeeSharpProcess
{
    class Program
    {
        // Port of https://gist.github.com/mubix/1536156f06633a54e7f1f819d7fa740a
        static void GetCSharpProcess()
        {

## doh_test.sh
#!/bin/bash
printf "===START dns.google.com===\n"
curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
printf "\n===END dns.google.com===\n"
printf "===START cloudflare-dns.com===\n"
curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
printf "\n===END cloudflare-dns.com===\n"
printf "===START 1.1.1.1===\n"
curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
printf "\n===END 1.1.1.1===\n"

## SPNs.qds
[CommonQuery]
Handler=5EE6238AC231D011891C00A024AB2DBBC1
Form=E33FEE83D957D011B93200A024AB2DBBE6
[DsQuery]
ViewMode=0413000017
EnableFilter=0000000000
[Microsoft.PropertyWell]
Items=0000000000
QueryStringLength=4500000045
QueryStringValue=2800260028006F0062006A0065006300740043006C006100730073003D007500730065007200290028006F0062006A00650063007400430061007400650067006F00720079003D0070006500720073006F006E0029002900280073006500720076006900630065005000720069006E0063006900700061006C004E0061006D0065003D002A0029000000D7

## goldfermi.py
import urllib
from bs4 import BeautifulSoup
import tweepy
from urlextract import URLExtract
from notion.client import NotionClient
from notion.block import TodoBlock, BookmarkBlock
import os
from unshortenit import UnshortenIt

## sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";

## netbios_encode.py
# Implemented the reverse of the compact answer on:
# https://stackoverflow.com/questions/1965065/encode-netbios-name-python/1965140

def netbios_encode(input_string):
    return ''.join([chr((ord(c)>>4)+ord('A'))+chr((ord(c)&0xF)+ord('A')) for c in input_string])

def netbios_decode(netbios):
    i = iter(netbios.upper())
    try:
        return ''.join([chr(((ord(c)-ord('A'))<<4)+((ord(next(i))-ord('A'))&0xF)) for c in i])

## getStager.py
import socket
import struct

def recv_frame(sock):
    try:
        chunk = sock.recv(4)
    except:
        return("")
    if len(chunk) < 4:
        return()

## mscache.py
import sys
import re

# .\hashcat64.exe -m 2100 .\inhash.txt .\rockyou.txt

if len(sys.argv[1]) > 0:
	fh = open(str(sys.argv[1]),"r")
	lines = fh.readlines()
	fh.close()
	using System;
	using System.Diagnostics;

	namespace ISeeSharpProcess
	{
	class Program
	{
	// Port of https://gist.github.com/mubix/1536156f06633a54e7f1f819d7fa740a
	static void GetCSharpProcess()
	{
	#!/bin/bash
	printf "===START dns.google.com===\n"
	curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
	printf "\n===END dns.google.com===\n"
	printf "===START cloudflare-dns.com===\n"
	curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
	printf "\n===END cloudflare-dns.com===\n"
	printf "===START 1.1.1.1===\n"
	curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
	printf "\n===END 1.1.1.1===\n"
	[CommonQuery]
	Handler=5EE6238AC231D011891C00A024AB2DBBC1
	Form=E33FEE83D957D011B93200A024AB2DBBE6
	[DsQuery]
	ViewMode=0413000017
	EnableFilter=0000000000
	[Microsoft.PropertyWell]
	Items=0000000000
	QueryStringLength=4500000045
	QueryStringValue=2800260028006F0062006A0065006300740043006C006100730073003D007500730065007200290028006F0062006A00650063007400430061007400650067006F00720079003D0070006500720073006F006E0029002900280073006500720076006900630065005000720069006E0063006900700061006C004E0061006D0065003D002A0029000000D7
	import urllib
	from bs4 import BeautifulSoup
	import tweepy
	from urlextract import URLExtract
	from notion.client import NotionClient
	from notion.block import TodoBlock, BookmarkBlock
	import os
	from unshortenit import UnshortenIt
	$dotnetpath = "/usr/local/share/dotnet/dotnet";
	$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
	$temppath = "/tmp/";

	beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

	alias sharpgen{
	$executionId = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp = $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";
	# Implemented the reverse of the compact answer on:
	# https://stackoverflow.com/questions/1965065/encode-netbios-name-python/1965140

	def netbios_encode(input_string):
	return ''.join([chr((ord(c)>>4)+ord('A'))+chr((ord(c)&0xF)+ord('A')) for c in input_string])

	def netbios_decode(netbios):
	i = iter(netbios.upper())
	try:
	return ''.join([chr(((ord(c)-ord('A'))<<4)+((ord(next(i))-ord('A'))&0xF)) for c in i])
	import socket
	import struct

	def recv_frame(sock):
	try:
	chunk = sock.recv(4)
	except:
	return("")
	if len(chunk) < 4:
	return()
	import sys
	import re

	# .\hashcat64.exe -m 2100 .\inhash.txt .\rockyou.txt

	if len(sys.argv[1]) > 0:
	fh = open(str(sys.argv[1]),"r")
	lines = fh.readlines()
	fh.close()