Erik kernel-sanders

## pypest.py
#!/usr/bin/env python

# This script prints a simple one-liner memory-only backdoor agent which hides from ps.

# It renames itself within the process list using a really hackish (AND POTENTIALLY DANGEROUS) /proc/self/mem rewrite
# and spawns a shell on port 9999. Just an experiment, there are simplest way to run unnoticed in the
# process list (see the technique used by EmPyre: https://github.com/adaptivethreat/EmPyre)

template = """
import sys,re,pty,os,socket

## Change "origin" of your GIT repository
$ git remote rm origin
$ git remote add origin git@github.com:aplikacjainfo/proj1.git
$ git config master.remote origin
$ git config master.merge refs/heads/master

## msfvenom-reverse-tcp-WaitForSingleObject.md

      
              1 file
            
          
              25 forks
            
          
              12 comments
            
          
              52 stars
            
          
                mgeeky
                / msfvenom-reverse-tcp-WaitForSingleObject.md
            
            
              Last active
              November 14, 2023 19:45
            
              
                (OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.
              
          
    Looking for WaitForSingleObject call within modern msfvenom generated payload.


Abstract
This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.
Contents:

  
## ascii-shellcode-encoder.py
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving

## windows_hardening.cmd
:: Windows 10 Hardening Script
:: This is based mostly on my own personal research and testing. My objective is to secure/harden Windows 10 as much as possible while not impacting usability at all. (Think being able to run on this computer's of family members so secure them but not increase the chances of them having to call you to troubleshoot something related to it later on). References for virtually all settings can be found at the bottom. Just before the references section, you will always find several security settings commented out as they could lead to compatibility issues in common consumer setups but they're worth considering.
:: Obligatory 'views are my own'. :)
:: Thank you @jaredhaight for the Win Firewall config recommendations!
:: Thank you @ricardojba for the DLL Safe Order Search reg key!
:: Thank you @jessicaknotts for the help on testing Exploit Guard configs and checking privacy settings!
:: Best script I've found for Debloating Windows 10: https://github.com/Sycnex/Windows10Debloater
:

## Breach Compilation (1.4 billion credentials) in Postgres.md

      
              1 file
            
          
              22 forks
            
          
              2 comments
            
          
              85 stars
            
          
                spacepatcher
                / Breach Compilation (1.4 billion credentials) in Postgres.md
            
            
              Last active
              April 23, 2024 18:03
            
              
                Breach Compilation (1.4 billion credentials) in Postgres.md
              
          
    What would you need:

Postgres 9.3, 9.4, 9.5, 9.6 or 10 with cstore_fdw extention (https://github.com/citusdata/cstore_fdw)
Docker 1.12.6 or higher
Docker Compose
Linux machine

Hardware requirements

  
## Windows command line gui access.md

      
              1 file
            
          
              16 forks
            
          
              1 comment
            
          
              64 stars
            
          
                scotgabriel
                / Windows command line gui access.md
            
            
              Last active
              November 11, 2023 14:53
            
              
                Common windows functions via rundll user32 and control panel
              
          
    Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs


RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor


RunDll32.exe msrating.dll,RatingSetupUI

Control Panel


## dementor.py
#!/usr/bin/env python

# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/

import os
import sys
import argparse
import binascii
import ConfigParser

## abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;

namespace ComAbandonment
{
    public class ComAbandonment
    {

## resolve_domain_computers.py
#!/usr/bin/env python
# resolve domain computers by @3xocyte

import argparse
import sys
import string

# requires dnspython and ldap3
import dns.resolver
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE
	#!/usr/bin/env python

	# This script prints a simple one-liner memory-only backdoor agent which hides from ps.

	# It renames itself within the process list using a really hackish (AND POTENTIALLY DANGEROUS) /proc/self/mem rewrite
	# and spawns a shell on port 9999. Just an experiment, there are simplest way to run unnoticed in the
	# process list (see the technique used by EmPyre: https://github.com/adaptivethreat/EmPyre)

	template = """
	import sys,re,pty,os,socket
	$ git remote rm origin
	$ git remote add origin git@github.com:aplikacjainfo/proj1.git
	$ git config master.remote origin
	$ git config master.merge refs/heads/master
	#!/usr/bin/python
	#
	# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
	# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
	# utility (as described in: Hacking - The Art of Exploitation).
	#
	# Basically one gives to the program's output a binary encoded shellcode,
	# and it yields on the output it's ASCII encoded form.
	#
	# This payload will at the beginning align the stack by firstly moving
	:: Windows 10 Hardening Script
	:: This is based mostly on my own personal research and testing. My objective is to secure/harden Windows 10 as much as possible while not impacting usability at all. (Think being able to run on this computer's of family members so secure them but not increase the chances of them having to call you to troubleshoot something related to it later on). References for virtually all settings can be found at the bottom. Just before the references section, you will always find several security settings commented out as they could lead to compatibility issues in common consumer setups but they're worth considering.
	:: Obligatory 'views are my own'. :)
	:: Thank you @jaredhaight for the Win Firewall config recommendations!
	:: Thank you @ricardojba for the DLL Safe Order Search reg key!
	:: Thank you @jessicaknotts for the help on testing Exploit Guard configs and checking privacy settings!
	:: Best script I've found for Debloating Windows 10: https://github.com/Sycnex/Windows10Debloater
	:
	#!/usr/bin/env python

	# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
	# some code from https://www.exploit-db.com/exploits/2879/

	import os
	import sys
	import argparse
	import binascii
	import ConfigParser
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Management;

	namespace ComAbandonment
	{
	public class ComAbandonment
	{
	#!/usr/bin/env python
	# resolve domain computers by @3xocyte

	import argparse
	import sys
	import string

	# requires dnspython and ldap3
	import dns.resolver
	from ldap3 import Server, Connection, NTLM, ALL, SUBTREE