hyp3ri0n-ng

#!/bin/bash
#Purpose: I don't like having to write expect scripts and stuff. I'd rather it be easier, so made this little thingy,
#it runs everything in a screen session and allows you to specify your responses to prompts. It can handle any number of
#prompts. If you don't want to define what to do, it defaults to "y" and an Enter keypress.

#Usage: ./scrun "apt install whatever; apt upgrade; etc etc" "prompt1 response" "prompt2 response" "prompt 3 response".....
#OR ./scrun "apt install whatever" without any prompt response defined manually it will just put 'y' and press enter
#example: ./scrun "apt install emacs-nox; apt remove vim" "y" "Y"
#The above example would install a REAL text editor (emacs) and when prompted by apt "are you sure blah blah?" it'll put
#a y in there and press enter. The second command is then run, uninstalling the beast/demon that is vim. For that one we

hyp3ri0n-ng

Re persistence, I've never liked the "super stealthy" methods I see out there. Every once in a while there's a really nice one that actually does bypass things. But then it gets attention and is mitigated or gets overwritten when you infect that obscure DLL and the user updates the file. In my experience, KEEP IT SIMPLE. I like python. It's not an executable file, you can put a static python executable on a machine and absolutely no AV is going to pick it up (hell you can throw whole folders on there if you don't want to use a static .exe). Name it like C:\ProgramData\Win32runtime\dlls\annoyingly\long\official\seeming\path\<ALL THE PYTHONS>

Most "real" reverse engineers and malware writers scoff at this, but hell I've been using this for a decade and it just works.

C:/> powershell.exe -c
"$taskTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Friday -At 3am;
$taskAction = New-ScheduledTaskAction -Execute "PowerShell" -Argument "-NoProfile -ExecutionPolicy Bypass -File 'C:\scripts\ADHealth.ps1' -W

hyp3ri0n-ng

#grab gong file from html
#!/bin/bash

x=`cat <downloaded call html> |  grep 'data.mp3AudioPath' | grep -o '\".*\"' | sed 's/^.//;s/.$//'`
echo "http:$x"

hyp3ri0n-ng

[1,3,6,9,13,17,19,20,21,22,23,24,25,30,32,37,42,49,53,70,79,80,81,82,83,84,88,89,99,106,109,110,113,119,125,135,139,143,146,161,163,179,199,211,222,254,255,259,264,280,301,306,311,340,366,389,406,416,425,427,443,444,458,464,481,497,500,512,513,514,524,541,543,544,548,554,563,587,593,616,625,631,636,646,648,666,667,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,808,843,873,880,888,898,900,901,902,911,981,987,990,992,995,999,1000,1001,1007,1009,1010,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1102,1104,1105,1106,1107,1110,1111,1112,1113,1117,1119,1121,1122,1123,1126,1130,1131,1137,1141,1145,1147,1148,1151,1154,1163,1164,1165,1169,1174,1183,1185,1186,

hyp3ri0n-ng

import pyautogui
import time

time.sleep(10)
while True:
    pyautogui.click()
    time.sleep(0.1)

hyp3ri0n-ng

all_request_headers = ["Cache-Control", "Connection", "Date", "Pragma", "Trailer", "Transfer-Encoding", "Upgrade", "Via", "Warning", "Accept", "Accept-Charset", "Accept-Charset", "Accept-Enc\oding", "Accept-Language", "Authorization", "Cookie", "Expect", "From", "Host", "If-Match", "If-Modified-Since", "If-None-Match", "If-Range", "If-Unmodified-Since", "Max-Forwards", "Proxy-Author\ization", "Range", "Referer", "TE", "User-Agent"]