David kafkaesqu3

## pfx2john.py
#!/usr/bin/env python
# coding: utf-8

"""
Modified for JtR by Dhiru Kholia in July, 2016

Copyright (c) 2015 Will Bond <will@wbond.net>

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in

## mem-loader.asm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

## drvscan.cpp
#include <string>
#include <vector>
#include <fstream>
#include <iostream>
#include <filesystem>

#include <Windows.h>
#include <winternl.h>

static_assert( sizeof( void* ) == 8 );

## ntlmdecoder.py
#!/usr/bin/env python

## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
##  <http://davenport.sourceforge.net/ntlm.html>
## with additional detail subsequently added from the official protocol spec:
##  <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
##

## main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

DWORD WINAPI Thread(LPVOID lpParam) {
	// Insert evil stuff

	ExitProcess(0);

## gadget2jscriptQueueAPCInject.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Net;
using System.IO.Compression;

    public class Payload
    {

## blockdlls_gadget2jscript.cs
using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;

public class Payload
{
    public Payload()

## _Instructions_Reproduce.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kafkaesqu3
                / _Instructions_Reproduce.md
            
            
              Created
              April 30, 2020 01:06
            
              
                GhostLoader - AppDomainManager - Injection - 攻壳机动队
              
          
    GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe


## One-liner Mimikatz Parser
Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password"

First, before using these parsers, run:  "dos2unix mimikatz_dump.txt"

Mimikatz 1.0:

cat mimikatz_dump.txt  | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u


Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):

## Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class TestClass
{

	public TestClass()
	{}
	#!/usr/bin/env python
	# coding: utf-8

	"""
	Modified for JtR by Dhiru Kholia in July, 2016

	Copyright (c) 2015 Will Bond <will@wbond.net>

	Permission is hereby granted, free of charge, to any person obtaining a copy of
	this software and associated documentation files (the "Software"), to deal in
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	;;;
	;;; Copyright (C), zznop, brandonkmiller@protonmail.com
	;;;
	;;; This software may be modified and distributed under the terms
	;;; of the MIT license. See the LICENSE file for details.
	;;;
	;;; DESCRIPTION
	;;;
	;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
	#include <string>
	#include <vector>
	#include <fstream>
	#include <iostream>
	#include <filesystem>

	#include <Windows.h>
	#include <winternl.h>

	static_assert( sizeof( void* ) == 8 );
	#!/usr/bin/env python

	## Decodes NTLM "Authenticate" HTTP-Header blobs.
	## Reads the raw blob from stdin; prints out the contained metadata.
	## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
	## Based on the excellent protocol description from:
	## <http://davenport.sourceforge.net/ntlm.html>
	## with additional detail subsequently added from the official protocol spec:
	## <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
	##
	#include <Windows.h>
	#include <intrin.h>
	#include <string>
	#include <TlHelp32.h>
	#include <psapi.h>

	DWORD WINAPI Thread(LPVOID lpParam) {
	// Insert evil stuff

	ExitProcess(0);
	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Reflection;
	using System.Runtime.InteropServices;
	using System.Net;
	using System.IO.Compression;

	public class Payload
	{
	Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password"

	First, before using these parsers, run: "dos2unix mimikatz_dump.txt"

	Mimikatz 1.0:

	cat mimikatz_dump.txt \| grep -P '((Utilisateur principal)\|(msv1_0)\|(kerberos)\|(ssp)\|(wdigest)\|(tspkg))\s+:\s+.+' \| grep -v 'n\.' \| sed -e 's/^\s\+[^:]:\s\+//' \| sed -e 's/Utilisateur principal\s\+:\s\+\(.\)$/\n\1/' \| sort -u


	Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):