Nick Landers monoxgas

## Invoke-DCSync.ps1
function Invoke-DCSync
{
<#
.SYNOPSIS

Uses dcsync from mimikatz to collect NTLM hashes from the domain.

Author: @monoxgas
Improved by: @harmj0y

## urbandoor.cs
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;

## main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

BOOL PatchTheRet(HMODULE realModule) {

	// Get primary module info

## main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

DWORD WINAPI Thread(LPVOID lpParam) {
	// Insert evil stuff

	ExitProcess(0);

## vc_decrypt.py
import sys
import struct
import binascii
from itertools import cycle, zip_longest
from operator import itemgetter, xor
from collections import Counter
import re

# Some root key constants from the binary

## mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&

## EraseTextBoxes.bas
'https://answers.microsoft.com/en-us/msoffice/forum/all/removing-text-box-from-word-document-without/a4d02b2f-d168-48dc-960b-4a45cbe79d86
Sub ReplaceTextBoxes()
  Dim RngDoc As Range, RngShp As Range, i As Long, boundary As String
  With ActiveDocument
    For i = .Shapes.Count To 1 Step -1
      With .Shapes(i)
        'If .Type = msoTextBox Then
        'https://eileenslounge.com/viewtopic.php?p=28255#p28255
        If .TextFrame.HasText = True Then


## Rulz.py
#!/usr/bin/env python
# Rulz.py
# Author: Nick Landers (@monoxgas) - Silent Break Security

import os
import sys
import argparse
import re
import binascii
import codecs

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                monoxgas
                / keybase.md
            
            
              Created
              September 6, 2022 19:41
            
          
      View keybase.md
  
      
    Keybase proof
I hereby claim:

I am monoxgas on github.
I am monoxgas (https://keybase.io/monoxgas) on keybase.
I have a public key whose fingerprint is 8138 ABBC 8C08 62A4 1E16  A697 5856 495B 4691 8AB1

To claim this, I am signing this object:

  
## extract.cpp
// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html

// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
// > clang++ -o extract extract.cpp
// > mkdir libraries
// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/

#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>
	function Invoke-DCSync
	{
	<#
	.SYNOPSIS

	Uses dcsync from mimikatz to collect NTLM hashes from the domain.

	Author: @monoxgas
	Improved by: @harmj0y
	using NtApiDotNet;
	using NtApiDotNet.Ndr.Marshal;
	using NtApiDotNet.Win32;
	using NtApiDotNet.Win32.Rpc.Transport;
	using NtApiDotNet.Win32.Security.Authentication;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
	using NtApiDotNet.Win32.Security.Authentication.Logon;
	using System;
	#include <Windows.h>
	#include <intrin.h>
	#include <string>
	#include <TlHelp32.h>
	#include <psapi.h>

	BOOL PatchTheRet(HMODULE realModule) {

	// Get primary module info
	import sys
	import struct
	import binascii
	from itertools import cycle, zip_longest
	from operator import itemgetter, xor
	from collections import Counter
	import re

	# Some root key constants from the binary
	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&
	'https://answers.microsoft.com/en-us/msoffice/forum/all/removing-text-box-from-word-document-without/a4d02b2f-d168-48dc-960b-4a45cbe79d86
	Sub ReplaceTextBoxes()
	Dim RngDoc As Range, RngShp As Range, i As Long, boundary As String
	With ActiveDocument
	For i = .Shapes.Count To 1 Step -1
	With .Shapes(i)
	'If .Type = msoTextBox Then
	'https://eileenslounge.com/viewtopic.php?p=28255#p28255
	If .TextFrame.HasText = True Then
	#!/usr/bin/env python
	# Rulz.py
	# Author: Nick Landers (@monoxgas) - Silent Break Security

	import os
	import sys
	import argparse
	import re
	import binascii
	import codecs
	// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html

	// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
	// > clang++ -o extract extract.cpp
	// > mkdir libraries
	// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/

	#include <stdio.h>
	#include <stddef.h>
	#include <dlfcn.h>