hadrian3689
hadrian3689
/ havoc_c2decrypt.py
Last active
November 15, 2023 07:09
An ad hoc script for decrypting the Havoc C2 framework traffic.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES | |
| from Crypto.Util import Counter | |
| import binascii | |
| def decrypting(key,iv,data): | |
| key = binascii.unhexlify(key) | |
| iv = binascii.unhexlify(iv) | |
| encrypted_data = binascii.unhexlify(data) | |
| ctr_cipher = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=int.from_bytes(iv, byteorder='big'))) | |
| decrypted_data = ctr_cipher.decrypt(encrypted_data) |
hadrian3689
/ winrm_decrypt.py
Created
October 14, 2023 04:24
— forked from jborean93/winrm_decrypt.py
A script that can be used to decrypt WinRM exchanges using NTLM over http
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # PYTHON_ARGCOMPLETE_OK | |
| # Copyright: (c) 2020 Jordan Borean (@jborean93) <jborean93@gmail.com> | |
| # MIT License (see LICENSE or https://opensource.org/licenses/MIT) | |
| """ | |
| Script that can read a Wireshark capture .pcapng for a WinRM exchange and decrypt the messages. Currently only supports | |
| exchanges that were authenticated with NTLM. This is really a POC, a lot of things are missing like NTLMv1 support, |
hadrian3689
/ random_session_key_calc.py
Last active
June 2, 2023 03:59
— forked from h4sh5/random_session_key_calc.py
Random Session Key calculator based off of data from a packet capture
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import hmac | |
| import argparse | |
| #stolen from impacket. Thank you all for your wonderful contributions to the community | |
| try: | |
| from Cryptodome.Cipher import ARC4 | |
| from Cryptodome.Cipher import DES | |
| from Cryptodome.Hash import MD4 | |
| except Exception: |