joenorton8014

dim list
Set list = CreateObject("System.Collections.ArrayList")
strComputer = "." 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM Win32_Process",,48) 
For Each objItem in colItems 
    list.Add objItem.ProcessId
Next

joenorton8014

Dim fso, objShell, objShellEnv, strComputerName, objFso, dt 
dt = now
timestamp = ((year(dt)*100 + month(dt))*100 + day(dt))*10000 + hour(dt)*100 + minute(dt)
Set objShell = WScript.CreateObject("WScript.Shell")
Set objShellEnv = objShell.Environment("Process")
strComputerName = objShellEnv("ComputerName")
Set objFso = WScript.CreateObject("Scripting.FileSystemObject")
Set outputFile = objFso.CreateTextFile("C:\tools\allproc-" & timestamp & ".csv", True)

strComputer = "." 

joenorton8014

# From OSCP

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs

joenorton8014

import socket
import random
import argparse
import ssl
import time
import sys


# Some customizations on a fuzzer from SANS660
# Original SANS script is here - https://gist.github.com/joenorton8014/f6ac55d7f26023b8d5169edae6e8218a

joenorton8014

import socket
import random
import argparse
import ssl
import time

# Some customizations on a fuzzer from SANS660
# Original SANS script is here - https://gist.github.com/joenorton8014/f6ac55d7f26023b8d5169edae6e8218a

def main():

joenorton8014

# Not my work, from SANS660
import socket
import random


def randstring():
    s = ""
    for i in xrange(random.randint(1,64)):
        s += chr(random.randint(0x30,0x7a))
    return s

joenorton8014

echo "IP forwarding state:"
sysctl net.ipv4.ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Current IP forwarding state is:"
sysctl net.ipv4.ip_forward

echo "Enabling nat: " 
iptables -A FORWARD -o eth0 -i eth1 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING

joenorton8014

$users = Get-ChildItem "c:\users" | Select-Object name
$users | ForEach-Object {
  $user = $($_.Name)
  $iocfile = "C:\Users\$($_.Name)\AppData\Roaming\somemalwarefile.tmp"
  if (Test-Path $iocfile){
      $filehash = get-filehash $iocfile | Select-Object -ExpandProperty hash
      $searchresults = "File found!"
         }
  else {
      $filehash = "No file to hash"

joenorton8014

import hashlib,binascii 
print binascii.hexlify(hashlib.new("md4", "Strong,hardtocrackpassword1".encode("utf-16le")).digest())


# python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "Strong,hardtocrackpassword1".encode("utf-16le")).digest())'
# From - https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/

joenorton8014

joe@DESKTOP-OSSID31:~/recordedfuture/final$ cat intel.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	intel
#open	2018-07-15-14-37-37
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
1531663865.844578	CVrPZ72bEBI5x8A5bl	10.0.0.38	34154	5.79.71.225	9999	5.79.71.225	Intel::ADDR	Conn::IN_RESP	bro	Intel::ADDR	rec-future	-	-	-